The following PRs ensure that readonly=true disk devices are now truly read-only even when using one of the QEMU proxy daemons to work around AppArmor profile and unprivileged user limitations.
We now use a host-side readonly bind mount of the source directory, which is passed to the virtfs-proxy-helper (for 9p) and virtiofsd (for virtio-fs) shares, providing a “belt and braces” approach by using the Linux kernel itself to enforce readonly access and don’t just rely on QEMU’s security restrictions.
The reason bind mounting didn’t work for you is because LXD from the SNAP runs inside its own mount namespace and was not seeing the bind mount you setup on the host’s mount namespace. LXD is now going to setup its own bind mount and this will be done inside the SNAP mount namespace and so will take effect.