Comment 4 for bug 1901586

The chromium snap's generated apparmor profile does include <abstractions/ssl_certs>, which allows read access to /etc/ssl/certs/ and /usr/local/share/ca-certificates/, among other paths¹.

So the problem is not confinement per se, but the fact that the core snap shadows these directories.

I wonder if using the system-files interface² would be a valid use case to expose these certificates in a read-only fashion.

¹ see /etc/apparmor.d/abstractions/ssl_certs for reference
² https://snapcraft.io/docs/system-files-interface