Thanks Rajan, but if you go through the video, you'll see that he didn't give app level permission and still see the apps (8:34 Qlik Sense Stream Management Security Rules and Exception Management - YouTube), and this is the part I'm confused. Can you see my original question/screenshots and figure out why? Thanks!
The users with Stream permissions will get only Stream access. To get the users App Object you need to create another Rule to set the App Access and then there select AND App.Stream <Stream Name>.
Similarly, One need to give the users access to AppObject with which the user get access to the App Sheets and other objects. For the one need to create the Security Rule for AppObject and set the permissions for the user group as AppObject in <Stream Name>.
This way the users get the guided access to the Apps and App Objects within the Stream.
Sometimes the users won't have access, by default they should see all apps if they have stream access..
Anyway, you can create a new rule to allow the users for App access
Resource Filter: Read
(resource.resourcetype = "App.Object" and resource.published ="true" and resource.app.HasPrivilege("read"))
guess that should work, if you like you can add your User Group to the rule?