Sorry for not following up on this earlier! The approach I initially thought of might have been able to fix a few cases, but not all of them: it was relying on the userd session daemon to be running, but that is not a certain fact, since we want snaps to be working even in those cases where the used it not logged in a graphical session.
The solution would be to make "snap run ..." create the directories: the /usr/bin/snap program is not subject to an AppArmor confinement, so it could create the directories before invoking snap-confine.
Sorry for not following up on this earlier! The approach I initially thought of might have been able to fix a few cases, but not all of them: it was relying on the userd session daemon to be running, but that is not a certain fact, since we want snaps to be working even in those cases where the used it not logged in a graphical session.
The solution would be to make "snap run ..." create the directories: the /usr/bin/snap program is not subject to an AppArmor confinement, so it could create the directories before invoking snap-confine.