They're still in complain mode, cause enforcing them breaks the
applications (when they read from tor-controlport-filter's socket, they
get empty data and fail). And there are still some audit log entries
generated for onionshare-gui, for reasons I do not yet understand. There
are a few other questions in comments.

However, this is actually solving the blocking issue we have with the
stub AppArmor profiles flooding the journal. Fixing these AppArmor
profiles so we then can enable them is more like a bonus.