AppArmor won't confine open-vm-tools

If you create a profile for /usr/bin/vmtoolsd (ubuntu package open-vm-tools) you will consistently notice that aa-status returns the following after boot/reboot

1 processes are unconfined but have a profile defined.
/usr/bin/vmtoolsd (517)

A quick investigation yields that /etc/systemd/system/multi-user.target.wants/open-vm-tools.service is set to start After=local-fs.target

Changing this to After=network-online.target let's AppArmor confine the process but it feels like AppArmor should be starting earlier in the boot sequence so it can catch root services that start up in this manner.