I double checked and the service indeed ran as root (I think snap services even can only run as root). But I found the error. Seccomp/Apparmor still had some violations (which I found by sudo /snap/bin/snappy-debug.security scanlog). Which in turn caused umount to fail with the EPERM error. Which then was translated to the misleading error message.
Excerpt from this file:
(https://github.com/karelzak/util-linux/blob/master/libmount/src/context_umount.c)
case EPERM:
snprintf(buf, bufsz, _("must be superuser to unmount"))
I added the missing permissions to the interface and now mount and umount works. But I didn’t think about any security implications of this interface yet. If you point me to some security problematic lines in the cifs-mount-control interface I can think about how to maybe mitigate these.
And another question: Should I try to include the necessary permissions from the mount-observe interface in my interface, or is it better if these two interfaces can only work together? Currently I need mount-observe to e.g. read @{PROC}/@{pid}/mounts r, , etc.
These were the changes which finally made it work: