Comment 3 for bug 1732725

This is how we mount it manually for the container when it has dropped CAP_SYS_ADMIN:

mount("cgroup", "/usr/lib/x86_64-linux-gnu/lxc/sys/fs/cgroup/unified", "cgroup2", MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_RELATIME, NULL) = 0

And this is how systemd mounts by itself in the container with the appropriate AppArmor deny:
mount("cgroup", "/sys/fs/cgroup/unified", "cgroup2", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL) = -1 EACCES (Permission denied)