Did you get this resolved?
In order to see Apps within a Stream, I have to grant users at least read access to the Stream. Once I do that, the user has access to all Apps in that stream.
f I just grant read access to an App, the Stream isn’t visible to the user.
So, there is no App level security possible. Is that correct or am I missing something?