Thanks for creating this request. Does your snap actually change users to the snap_daemon
user after startup? Just adding system-usernames
the the snapcraft.yaml is not sufficient, the snap needs to explicitly change to this less privileged user itself.
I assume you followed the example in https://github.com/MirServer/iot-example-graphical-snap which looks to be packaged by @alan_g - Alan can you advise whether this example snap already includes the code to drop privileges to the snap_daemon
user, and if it doesn’t, it would be worth adding that for future users of the snap.