Tried:

sudo mkdir -p /var/lib/libvirt/virtiofsd/test1

Get a guest and add
<filesystem type='mount' accessmode='passthrough'>
    <driver type='virtiofs'/>
    <binary xattr='on'>
       <lock posix='on' flock='on'/>
    </binary>
    <source dir='/var/lib/libvirt/virtiofsd/test1'/>
    <target dir='test1'/>
</filesystem>

due to:
"error: unsupported configuration: virtiofs requires one or more NUMA nodes"
This is explained in https://libvirt.org/kbase/virtiofs.html as a pre-req for shared memory
Due to that also add something like:
    <numa>
      <cell id='0' cpus='0-7' memory='2' unit='GiB' memAccess='shared'/>
    </numa>

There are more details for memory backing in the link above, but this gets you working.

In the guest one can then mount that via:
$ sudo mount -t virtiofs test1 /mnt

Runs fine on the host and provides transparent host FS access
in a more modern fashion than 9p.

ubuntu@node-horsea:~$ systemctl status libvirtd
● libvirtd.service - Virtualization daemon
     Loaded: loaded (/lib/systemd/system/libvirtd.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2020-08-26 06:11:11 UTC; 24min ago
TriggeredBy: ● libvirtd-admin.socket
             ● libvirtd.socket
             ● libvirtd-ro.socket
       Docs: man:libvirtd(8)
             https://libvirt.org
   Main PID: 1499817 (libvirtd)
      Tasks: 159 (limit: 32768)
     Memory: 63.1M
     CGroup: /system.slice/libvirtd.service
             ├─   1355 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             ├─   1356 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             ├─  41956 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/net-host-only-bridge-for-dpdk-1.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             ├─  41957 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/net-host-only-bridge-for-dpdk-1.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             ├─  41984 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/net-host-only-bridge-for-dpdk-2.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             ├─  41985 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/net-host-only-bridge-for-dpdk-2.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper
             ├─1499817 /usr/sbin/libvirtd
             ├─1518124 /usr/lib/qemu/virtiofsd --fd=28 -o source=/var/lib/libvirt/virtiofsd/test1,xattr,flock,posix_lock
             └─1518142 /usr/lib/qemu/virtiofsd --fd=28 -o source=/var/lib/libvirt/virtiofsd/test1,xattr,flock,posix_lock


Works fine with the apparmor rule applied.
I also tried to remove the rule and can confirm the former error.

$ virsh start virtiofsd-guest
error: Failed to start domain virtiofsd-guest
error: internal error: virtiofsd died unexpectedly

[173492.773174] audit: type=1400 audit(1598423932.651:6460): apparmor="DENIED" operation="exec" profile="libvirtd" name="/usr/lib/qemu/virtiofsd" pid=1518858 comm="rpc-worker" requested_mask="x" denied_mask="x" fsuid=0 ouid=0


We should probably create a apparmor subprofile for
/usr/lib/qemu/virtiofsd before we start to fade out 9p support.