Comment 6 for bug 1871148

AFAICS, nothing is explicitly depending on apparmor to have finished, though it will tend to finish due to when it runs. If it takes awhile or systemd starts running parallel jobs, the daemons may not start.

That doesn't seem to sufficiently describe this situation. From Daniel's paste:

Apr 06 16:32:56 defiant systemd[1]: Finished Load AppArmor profiles.
...
Apr 06 16:32:58 defiant audit[3342]: AVC apparmor="DENIED" operation="change_onexec" info="label not found" error=-2 profile="/usr/lib/snapd/snap-confine" name="snap.multipass.multipassd" pid=3342 comm="snap-confine"
Apr 06 16:32:58 defiant multipass.multipassd[3342]: cannot change profile for the next exec call: No such file or directory

This multipass denial is the first denial caused by this bug, but it happened *after* the apparmor profiles finished loading. It seems like at the time of the denial, /var/lib/snapd/apparmor/profiles might've been (partially?) empty and so the cache was cleared.