Enforcing permissions not needed by app itself, but needed by sandbox

Can you please give some hints how to drop down not needed permissions of snap app.

Details: there’s an app parsing and displaying output of ‘ping’ tool (note: std ‘ping’ tool is included in all snap cores). Permissions that need to be granted in case of use it in snap infrastructure comparing to use out of snap scopes:

  1. out of snap ecosystem, with deb or apk package for example: There’s no need to grant anything extra because ‘ping’ itself has enough them to ping, it’s granted via fine-grained linux capabilities, like
% ls -lh /bin/ping; getcap /bin/ping
-rwxr-xr-x 1 root root 88K Nov 27  2022 /bin/ping
/bin/ping cap_net_raw=ep

2) in case of snap package: There's snappy-debug suggestions
Log: apparmor="DENIED" operation="exec" class="file" profile="snap.fmtr.fmtr" name="/usr/bin/ping" pid=315899 comm="io.flutter.ui" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
File: /usr/bin/ping (exec)
* adjust snap to ship 'ping'
* adjust program to use relative paths if the snap already ships 'ping'
* add one of 'firewall-control, network-control, network-observe' to 'plugs'

despite that core’s pings already have all needed permissions:

% ls -lh /snap/core*/*/bin/ping; getcap /snap/core*/*/bin/ping
-rwsr-xr-x 1 root root 44K May  7  2014 /snap/core/16202/bin/ping
-rwxr-xr-x 1 root root 72K Jan 31  2020 /snap/core20/2015/bin/ping
-rwxr-xr-x 1 root root 75K Feb  5  2022 /snap/core22/864/bin/ping
/snap/core20/2015/bin/ping cap_net_raw=ep
/snap/core22/864/bin/ping cap_net_raw=ep

I.e. in this aspect snap version is more insecure than app installed from apk or deb?
Is there a way to grant extra permissions to snap core’s ping only?