lxc.apparmor.profile=unconfined makes your container run without apparmor confinement, that doesn’t however mean that profiles cannot be loaded and used by it nor that existing apparmor profiles on the host cannot apply to it.
That’s why that option is so terrible, it effectively allows the host to mess with apparmor profiles on the host and any host apparmor profile to randomly apply to container processes.