Is asking too much IMHO and increases the friction between sysadmins and
Apparmor in general."
Of course. I listed this as something that could be considered for the openntpd/ntpd case, not for a sysadmin. This is a corner case that should be coordinated between these packages. In all cases except this rare corner case, it is totally fine (and correct) to leave the profile loaded until next reboot and sysadmins don't have to care about this at all.
"Asking someone to know about that:
echo -n "<profile_name>" > /sys/kernel/ security/ apparmor/ .remove
Is asking too much IMHO and increases the friction between sysadmins and
Apparmor in general."
Of course. I listed this as something that could be considered for the openntpd/ntpd case, not for a sysadmin. This is a corner case that should be coordinated between these packages. In all cases except this rare corner case, it is totally fine (and correct) to leave the profile loaded until next reboot and sysadmins don't have to care about this at all.