Provide an AppArmor profile
AppArmor isn't super-duper useful, but it's better than nothing, and a tight profile might raise the bar a little: we should ship a profile for mat2 that works on Debian and Ubuntu.
Keep in mind that mat2 is using external binaries that should be sandboxed too: FFmpeg, exiftool, …
I don't know what other distributions are using to sandbox their software, but if someone wants to write profiles for them, be my guest :)