But this vulnerability is enabled by a very creative exploitation of the complicated bind mounting scheme used by snap-confine. Just reading about these mounts between /usr/lib to /tmp and back triggered my sense of a potential security vulnerability.

That's because it's not a vulnerability per se. They found a way to use `rm` as a gadget for their privilege escalation.

The core problem is that there's a world-writable directory that is processed by a program running as root.