Further security issues with #linux AppImage: internally they run fusermount and then an executable (!) script from /tmp (!) with a random name so good luck with confining that with AppArmor... Each AppImage binary thus requires CAP_DAV_OVERRIDE and CAP_SYS_ADMIN.