Discord should not be allowed to ptrace other snaps (label=snap.!discord.*) or system processes (label=unconfined) since that would allow discord to completely control these other processes. This would be a surprising requirement for a chat program.
That said, the LSM hooks in the kernel are not fine-grained enough for ptrace and a ‘ptrace trace’ denial can actually be triggered with the ‘ps’ command. From interfaces/builtin/system_observe.go:
# ptrace can be used to break out of the seccomp sandbox, but ps requests
# 'ptrace (trace)' even though it isn't tracing other processes. Unfortunately,
# this is due to the kernel overloading trace such that the LSMs are unable to
# distinguish between tracing other processes and other accesses. We deny the
# trace here to silence the log.
# Note: for now, explicitly deny to avoid confusion and accidentally giving
# away this dangerous access frivolously. We may conditionally deny this in the
# future.
deny ptrace (trace),
Discord already plugs system-observe, so you can make the denial go away with: `sudo snap connect discord:system-observe.
I would argue that it is surprising that discord requires system-observe and that it should be modified to not trigger the denial. In lieu of that, discord should probably pursue auto-connecting the system-observe interface.