The factory maintainers didn't really like writing the cache to /etc, and after
some discussion I agreed to switch to /var/lib/apparmor/cache instead.
/var/lib is part of the root filesystem in the default setup, and I also added
After=var-lib.mount
to apparmor.service as safety net.
If this causes any problems, DimStar officially allowed to blame him ;-)