Comment 9 for bug 1953563

root@dir:~# aa-exec -p snap.snap-store-proxy.snapproxy chown 0:0 /var/snap/snap-store-proxy/common/nginx/
chown: changing ownership of '/var/snap/snap-store-proxy/common/nginx/': Operation not permitted

root@zfs:~# aa-exec -p snap.snap-store-proxy.snapproxy chown 0:0 /var/snap/snap-store-proxy/common/nginx/
root@zfs:~# aa-exec -p snap.snap-store-proxy.snapproxy chown 1:1 /var/snap/snap-store-proxy/common/nginx/
chown: changing ownership of '/var/snap/snap-store-proxy/common/nginx/': Operation not permitted

That's despite the profiles not having "capability chown," inside them.
This suggests that apparmor will normally silently allow you to do a pointless chown (requested uid/gid matches existing uid/gid) but that logic isn't working properly with idmapped mounts.