AppArmor won't confine open-vm-tools
If you create a profile for /usr/bin/vmtoolsd (ubuntu package open-vm-tools) you will consistently notice that aa-status returns the following after boot/reboot
1 processes are unconfined but have a profile defined.
A quick investigation yields that /etc/systemd/system/multi-user.target.wants/open-vm-tools.service is set to start
Changing this to
After=network-online.target let's AppArmor confine the process but it feels like AppArmor should be starting earlier in the boot sequence so it can catch root services that start up in this manner.