AppArmor is the default Mandatory Access Control module on Ubuntu, Debian, SuSE and other Linux distributions. Thanks to it, you can limit the filesystem access of a process. AppArmor is enabled by default in all Ubuntu versions and in Debian 10.
Currently HestiaCP simply adds an AppArmor one-liner for Bind9, but it would be a good idea to expand its use, e.g. to PHP-FPM and Exim4.
Below are some articles about using AppArmor: