apparmor-profile-everything can give fine-grained execute permissions and already does for /home. It only allows the user to execute /home/*/.tb/tor-browser/Browser/{,start-tor-browser,firefox} and write permission for .tb/tor-browser/ is denied (so an attacker can’t overwrite those files).
Any other things TB needs to execute is handled by apparmor-profile-torbrowser (which is a dependency).