wherever you make your Security Rule you can find all of them in QMC --> Security Rules.
You can have Read Only Rules (you cannot modify those rules) Default rules (coming with the installation, you can modify and delete those rules) and the Custom Rules, but do not exist any execution Hierarchy, all rules will be executed, the union of two sets will benefits. That mean if you have a rule A which allow only Engineering users except the anonymous to create an App, and the rule B which allow only the Power users to create an App, both of them will be executed, as result Engineering and Power user will allow to create an App.
Security rules are very flexible, you can realy implement the same behavior in several different way, so is up to you where and how to write the rule.
If you have 25 apps in more then 10 streams probably sheet level access is not what you want to implement.