Hmm I am not sure it would be a good idea to grant this - allowing write access to ~/.local/share/applications allows a trivial sandbox escape for chromium since it can just drop a new desktop file there that overrides the one installed by snapd which launches itself (or some other application) outside of the regular confinement provided by snapd.
Assuming we trust chromium that perhaps is ok BUT it doesn’t account for the case where chromium gets remotely exploited and an attacker uses this to then escape the sandbox.
Unfortunately I think this would need support from snapd to allow it to proxy and enforce the desktop files were created with appropriate values that do not allow sandbox escape. @jamesh I wonder if the desktop team has thoughts on this? (similarly @pedronis whether you have any thoughts). Thanks.