Here I would, at least for security-criticsl apps, recommend going the Snap route. Not only does it do fine-grained AppArmor mediation, it also does cgroup, udev and seccomp configuration to reduce the attack surface available to the app. It has it way harder than ordinary Ubuntu Touch apps to escape the sandbox, even compared to clicks. Snaps are very well suited for paranoid usecases.