Thanks for your input! I started implemented this now in: https://github.com/snapcore/snapd/pull/3456
It will generate a system-key string from the build-id and the apparmor-features of the running kernel. Its trivial to extend to new inputs as needed. The system-key looks currently roughly like this:
build-id: 7a94e9736c091b3984bd63f5aebfc883c4d859e0 apparmor-features: - capability - caps - dbus
My plan (for now) is to just use this string directly (instead of hashing it) as it will making reasoning over /var/lib/snapd/system-key easier. Happy to hash it tough if that is preferable.
With that PR#3456 in place we can make the security profile re-generation conditional on the system-key: https://github.com/snapcore/snapd/pull/3460