This solved my issue! My apps run as apps/apps user/group, but files that they accessed were all over the place as far as owner/group went.
Question though, I noticed that the built in apps user is not a member of builtin_users, shouldn’t it be?
> id apps
uid=568(apps) gid=568(apps) groups=568(apps)