feat(profile): bwrap always need userns.

apparmor.d/abstractions/bwrap

@@ -4,10 +4,12 @@
 
 # Minimal set of rules for bwrap
 
-# A profile using this abstaction still needs to set:
+# A profile using this abstraction still needs to set:
 # - the attach_disconnected flag
 # - bwrap execution: '@{bin}/bwrap rix,'
 
+  # userns,
+
   capability net_admin,
   capability setpcap,
   capability sys_admin,

apparmor.d/groups/gnome/nautilus

@@ -26,8 +26,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/trash>
 
-  # userns,
-
   # mqueue r type=posix /,
 
   dbus bind bus=session name=org.gnome.Nautilus,