Comment 17 for bug 1845506

ok, attach-device and attach-disk only support one device on each invocation and thereby are safe even if they would call the critical code.

But these (more common) paths still pass AppArmorSetSecurityImageLabel which means if there were rules added that are not yet reflected in the XML representation they would be lost at this point.
So while not really affected it seems wise for this use-case as well to make the changes.