Hello,
The problem with this is that the nsjail location is wherever you synced AOSP, so a profile can't really be made for it that can be upstreamed to AppArmor.
First idea is to just change build documentation to note that Ubuntu 24.04 onwards will require disabling the restriction.
Second idea is to make nsjail a package in Debian, that way it would have a static location in a non user modifiable location, that a policy could be created for and upstreamed.
I've noticed that a lot of build dependencies have been moved to prebuilts, so I'm not sure if moving nsjail out of tree is really something Google would want.
Thoughts?