Container apparmor logging is done in host


what is taking me usually 5 minutes - setting a mail agent, msmtp - has taken me 5 hours today thanks to apparmor and lxd.
I have tried for the first time an Ubuntu 19.10 container, in this version msmtp has gotten a brand new apparmor profile, and the log name used for this profile (/var/log.msmtp) is different from the name I use (/var/log/msmtp.log). So I got permissions errors when msmtp was trying to log.
Unfortunately Ubuntu has also set the msmtp binary SGID, a feature I am not accustomed with, and I lost a lot of time trying to understand how it was supposed to work and block my access. The trouble is that the container syslog has NOTHING about the true problem. Once I had eliminated painfully any possibility that the access rights were wrong, I had the idea that the container stuff could be the culprit and I looked into the host syslog.
And there I finally discovered the awful apparmor messages.

Now is this normal ? From time to time there are messages here of people wanting to manage ‘tenants’, that is people a bit like customers; how in the world can these tenants manage correctly their containers if they can’t see such important messages ?

I looked at github issues and this does not seem considered a bug or a problem.

Yet I think it is really a problem, and it should be really prominent in the doc (I searched for it and failed to find anything about this ‘feature’).