When a new directory (I don't mean file system directory here) for AppContainer application is created, its access rights are based on BaseNamedObjects directory access rights with addition of several allowing ACEs. For all LogonSid ACEs access rights are set to maximum. But there is no check whether this is an allowing ACE or a denying one. So if for some reason we have a denying ACE there, we're in trouble as it leads to denying ACE with maximum access rights to LogonSid. So it basically blocks any access to AppContainer directory which results in AppContainer-application failure to operate completely.
So beware not to add any denying ACEs for LogonSid to BaseNamedObjects directory.
This issue was found several months ago, it wasn't fixed then. I haven't checked it since.