Can’t you just encrypt your user dir? Well yes you can, but that only protects you from external attackers what if a program were to go and take the cookie file from ~/snap/firefox they could login in and do stuff hence the encrypted user conf because the program process is in its own namespace only a root user can see inside. So like mount a luks fs in where the user conf dir is.
An idea on implantation, when starting up a snap check for a user set encrypted flag if that is true run a dialog that asks for a password and feed it to say Cryfs which will expand to any size unlike luks and when ever the name space is closed ever thing will be relocked