Some of its commands (e.g.
wksctl apply) need to read local configuration files that are being passed by users via command line args. Ideally, enabling access to only those specified files would work fine, but as the paths are dynamic, my understanding is that the only way to make it work is by giving a broad file read-access to the snap.
An alternative I was considering is
strict confinement with
personal-files interfaces enabled, but I don’t know if that would be any better if the scope was set to the root anyway.
Thank you in advance!