While AppArmor is nice and it definitely does what it advertises, there are some caveats:

• It relies on developers to write and supply profiles (or others who contribute the time) 
• Profiles have to be bulletproof before they can be included in the default installation, which could be the reason there are so few even after a decade
• It's fairly unknown and most people don't even bother with it outside of the defaults

It also goes off path, rather than inode, meaning you can do things such as create a hardlink to bypass restrictions:

$ sudo ln /usr/sbin/tcpdump /usr/sbin/tcpdump-clone

Admittedly, if you're on a box and have sudo, it's pretty much game over at that point anyway:

$ sudo tcpdump -i enp0s3tcpdump: enp0s3: You don't ...