The pivot_root part looks more solid - the "." -> "." should make any symlink trickery with host / impossible here, the MS_SLAVE should do the rest. But perhaps someone else may take a look ...

The apparmor modification may still work, I do not see major differences preventing it. Do you know of critical features allowed in lxc-start that would be disabled by standard container profile with that?

25741 open("/proc/1/attr/current", O_WRONLY) = 11
25741 write(11, "changeprofile lxc-container-default", 35) = 35