If I apply the Content Admin Role to a user, when that user is in My Work in the hub they can see everyone's unpublished apps. What setting would prevent them from seeing apps in other users My Work area?
Content Admin Security Rule. Basically you would want to make modifications here where the the resource is owned by the user name.
Check out this webinar for more information: SecurityRulesFullPresentation.mp4 - Google Drive
Retrieving data ...