So for a long while we had a bug (https://bugs.launchpad.net/snapd/+bug/1667479) where a refresh of the core snap (or any base snap). This bug is not a problem (as much) on core where the core snap refresh ends up with a reboot. For a good while now whenever a process starts up it would reuse a readily available mount namespace associated with that snap. The problem is that we never had a system for invalidating that “cache” safely when the base snap changes revision.
We discussed this problem before and agreed to invalidate the cache only when there are no more applications (processes) that belong to that snap that are still alive. This ensures that all applications see exactly the same filesystem.
Long story short, we finally got this: I implemented a fix for this earlier today. In the past I tried a slightly different solution that didn’t fully work because of (apparently) bugs in apparmor. My new approach seems to just work and is conceptually very simple.
EDIT: This turned out to actually be as simple as I did stumble over kernel bugs again. Still, it really seems to work, have a look!