Comment 3 for bug 1298539

we could move just run profile loading earlier, ahead of remote filesystems, as an upstart job:

description "Pre-cache and load apparmor profiles"
task
start on local-filesystems and not-container
script
 . ./lib/apparmor/functions
 [ -w "$AA_SFS"/.load ] || { stop; exit 0; }
 load_configured_profiles
end script

Also desktop is a bit too quick to observe the ordering here. But e.g. it looks like on ubuntu-touch network-manager is started ahead of loading all apparmor profiles, the network-manager job does not load profiles for binaries that it uses and it can spawn e.g. dhclient see:
http://people.canonical.com/~ogra/touch-bootcharts/ubuntu-phablet-trusty-283.png

dhclient did not execute ahead of apparmor_profile launched by xargs, but it think it could be on a cold boot when profiles are regenerated for all .clicks.