virt-aa-helper has done this for as long as I can remember. /lib4 is not an FHS compliant location to store volatile data like VMs, which is what virt-aa-helper is trying to enforce (ie, if someone is trying to also restrict libvirtd itself, then virt-aa-helper has to be careful to not allow someone with libvirtd qemu:///system access to various files which could be used to escalate privileges.
virt-aa-helper has done this for as long as I can remember. /lib4 is not an FHS compliant location to store volatile data like VMs, which is what virt-aa-helper is trying to enforce (ie, if someone is trying to also restrict libvirtd itself, then virt-aa-helper has to be careful to not allow someone with libvirtd qemu:///system access to various files which could be used to escalate privileges.