I suggest you use ‘snappy-debug’ to help with moving from devmode to strict mode since it will make suggestions to you. See Security policy and sandboxing
The seccomp denial is for the ‘listen’ syscall. I suggest you also plugs network-bind. The /proc/sys/dev/cdrom/info access should be added to the optical-drive interface and it may be non-fatal. I’ve taken a TODO to do that. In the meantime, you can workaround the issue be adding this to /var/lib/snapd/apparmor/profiles/snap.musicbrainz-picard.musicbrainz-picard (before the trailing ‘}’):
/proc/sys/dev/cdrom/info r,
and reload the profile with: sudo apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.musicbrainz-picard.musicbrainz-picard. Note that if you ‘snap try’, snap install, snap remove, reboot, etc, then this change will be lost and you’ll have to add it again.