Can anyone please suggest in Qlik Sense, what security we should apply for a stream where no one should have any write access( not even Root admins) but all respective developers can see the apps published in that stream via QMC?
This will be applicable by default when you create a new Stream . No security rule is needed, choose by default security which comes up while creating the stream. All app owners and see their respective apps under QMC even when those are published under new Stream. Root Admin can see all apps though, but no on will be able to see the Stream under HUB unless we add any of AD groups and limit the access.
As Anjali said, by default root admins (and some more admins perhaps) would have ALL access (write, read...) to streams. However, there is a way you can make it read-only, and that would require modifying default rules. You have to be very careful when doing so, better create a copy of the default rules and work on them; remove the write permission from them and make the original default rules (which are applicable) disabled.