Good questions indeed!
In past the testers repository held preliminary fixes that were supposed to be migrated to stable soon. At the moment, the testers repository contains packages for the next version of Whonix (Whonix 10). Much higher versions. So adding stable-fixes (for Whonix 9) to that repository doesn't work anymore. This dual purpose is really bad. It's an issue, should the tb-updater package be upgraded just again, the package would have to go directly into stable without being able to give Whonix 9 stable-fixes testers an easy way to try it out. Besides manually getting that package. Dunno how otherwise that could be done better. I don't know how well this answers your question. You tell me.
We could do this as a release goal for Whonix 11. Since we fully control these packages, this should be doable. If we well test this before release, there shouldn't be much need for AppArmor fixes then?
Maybe. Probably not?
Long version: Gathered some information:
We do enable AppArmor by default since Whonix 9. This is done by the grub-enable-apparmor (https://github.com/Whonix/grub-enable-apparmor) package.
During installation, the auto generated debhelper code will run, if apparmor is enabled (i.e. if "sudo aa-status --enabled" exits 0), the following command.
apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.sdwdate
Looks like it does that all for us automatically? No manual reload required?