Comment 8 for bug 1824812

Adding set -x and calling this directly:

Cosmic:
. /lib/apparmor/functions
is_container_with_internal_policy
+ local ns_stacked_path=/sys/kernel/security/apparmor/.ns_stacked
+ local ns_name_path=/sys/kernel/security/apparmor/.ns_name
+ local ns_stacked
+ local ns_name
+ '[' -f /sys/kernel/security/apparmor/.ns_stacked ']'
+ '[' -f /sys/kernel/security/apparmor/.ns_name ']'
+ read -r ns_stacked
+ '[' yes '!=' yes ']'
+ read -r ns_name
+ '[' 'c-testapparmor_<var-snap-lxd-common-lxd>' = 'lxd-c-testapparmor_<var-snap-lxd-common-lxd>' ']'
+ return 0

Disco:
. /lib/apparmor/rc.apparmor.functions
is_container_with_internal_policy
+ local ns_stacked_path=/.ns_stacked
+ local ns_name_path=/.ns_name
+ local ns_stacked
+ local ns_name
+ '[' -f /.ns_stacked ']'
+ return 1

Ok, in my case the ENV var that is now used is not set.

$ export SFS_MOUNTPOINT=/sys/kernel/security/apparmor/
$ is_container_with_internal_policy
+ is_container_with_internal_policy
+ set -x
+ local ns_stacked_path=/sys/kernel/security/apparmor//.ns_stacked
+ local ns_name_path=/sys/kernel/security/apparmor//.ns_name
+ local ns_stacked
+ local ns_name
+ '[' -f /sys/kernel/security/apparmor//.ns_stacked ']'
+ '[' -f /sys/kernel/security/apparmor//.ns_name ']'
+ read -r ns_stacked
+ '[' yes '!=' yes ']'
+ read -r ns_name
+ '[' 'd-testapparmor_<var-snap-lxd-common-lxd>' = 'lxd-d-testapparmor_<var-snap-lxd-common-lxd>' ']'
+ return 0

Now it works, could it be that in the init script context this isn't set either?
Yep that is it:
If I patch in the path it works again
 # patch /lib/apparmor/rc.apparmor.functions to have SFS_MOUNTPOINT=/sys/kernel/security/apparmor/
 $ systemctl restart apparmor
 $ aa-status
   # lists all profiles again