Here is an addition/change to the security rules that you may (or may not) want, depending on your needs:
Scenario: under the proposed custom rules in the GSS package, your RootAdmin roles will be able to see all streams and apps in the hub, which are published. In addition, they can see all unpublished apps in their own My Work stream. This can be overwhelming to see everybody's in-progress apps, but I find it useful for oversight and monitoring. IF YOU DON'T WANT THIS capability, then consider the changes below:
1) in the custom security rule called "_abc - Root Admin Group Rule", uncheck the Export data checkbox, and then change the Context to Only in QMC. This will remove all of the unpublished apps from being seen in the RootAdmin's My Work stream (they will still see their own unpublished apps, just not others').
2) Since this will also remove their built in ability to see all streams, you will want to add a @QlikGroup custom property value of "Admin" or something similar to each stream in your QMC. Then add the group "Admin" to any RootAdmins in your security catalog. What this does is allow the group access rule (_abc - Group Access Rule) to give read access to all streams for the RootAdmins.
See screenshot below. I used the @QlikGroup value of "IT" on all of my streams and then added the security group "IT" to all of my Admins, so they could see all streams.