Thanks! Yeah, I did realize after I made this comment that it was unclear to me whether the AppArmor policies defaulted to granting home directory access or not. (I _think_ from the abstractions listed when I checked yesterday that they don't, but I wasn't sure.) Certainly the private-data abstraction seemed redundant, if home directories were outright denied.
I'm still unsure from the most recent edit whether you're doing an Apple-style permission to access one particular subdirectory of the user's home directory, or allowing access to the entire home directory (other than private-data). If the latter, it's unclear to me what the helper dialog would do -- do users commonly have files they want to access that are _not_ in their home directory? (I guess, assuming the default umask hasn't changed, "reading other users' files" is arguably relevant.)
Anyway, I do mean to reply on the mailing list once I have some more coherent thoughts together.