Say you were writing a program that takes a "config-file" parameter and you were (explicitly) passed a filename that, for whatever reason, you couldn't load. Is the proper operation to exit and report an error, log a warning and continue with defaults, or load a default filename silently?
In this particular case, app-armour was configured to prevent dhclient from accessing most of the filesystem. It (app-armour) was dutifully logging errors in /var/log/messages, but dhclient was just silently defaulting back to the very-subtly different default config... queue lots of very subtle debugging effort. Maybe there's some good reason for this behaviour, but at the moment I can't see it.