build: improve documentation about overwriten profiles.

Make it clear why a given profile is overwriten from upstream.

dists/overwrite

@@ -1,8 +1,8 @@
-# Apparmor 4.0 ships several profiles that allow userns and are otherwise
+# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d
-# unconfined. This file keeps track of them and allow apparmor.d to replace
+# This file keeps track of them and allow apparmor.d to replace them by our own.
-# them by our own.
 # File format: one profile name by line.
 
+# Overwrite unconfined upstream profiles that only allow userns
 brave
 chrome
 chromium
@@ -12,22 +12,30 @@ firefox
 flatpak
 foliate
 loupe
-lsblk
-lsusb
 msedge
 mullvad
 nautilus
-openvpn
 opera
 os-prober
 plasmashell
-remmina
 signal-desktop
 slirp4netns
 steam
 systemd-coredump
 thunderbird
-transmission
-unix-chkpwd
 virtiofsd
+
+# Overwrite upstreamed profiles, our local version may be more up to date
+unix-chkpwd
+
+# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while
+# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones:
+# - Keep ours: If they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile
+# - Drop ours: when upstream profiles is better
+fusermount3
+lsblk
+lsusb
+openvpn
+remmina
+transmission
 wg-quick