Been looking into this a bit, and it seems like mount namespaces are set up in a particular way, and this mount namespace is shared by invocations of a particular snap: 1, 2.
This raises an interesting question of how to make this work with the little nsdo tool mentioned above. Normally, nsdo will setns() to the mount namespace and network namespace and exec() the program. The mount namespace to setns() into could be different if I want to run my application in different VPNs. So I don’t think custom hooks for snap mount namespace setup would help, since I may want to run Firefox in no VPN or different VPNs later on. Somehow nsdo would have to mess with the snap mount namespace at runtime (sus) or create new mount namespaces for every VPN for every snap (oh my).
Oh man… I don’t think this is an unfair use case, though