Yunohost, for one, does allow an admin to see ALL the possible apps available for installation, BUT they categorize these apps by reliability and stability. 682f4dc1-c041-426a-b147-8313a8c275c1-image.png
Could the same idea/process be adapted for a Superadmin to "categorize" Cloudron App Store apps, making only certain ones visible to the next level Admin. Come to think of it, a Reseller account on MXRoute allows the Superadmin to do exactly this - create a Package, name it, define it's parameters, and allow the Customer the option to choose from the prepared Packages. The Customer never really knows if you've overbooked the VPS or not, or if "better or stronger" options could be available - they only see what the SuperAdmin has packaged as choices.
So, the SuperAdmin would need a way to create a Package, and then assign specific App Store apps to each Package.
In fact, a similar process must already be in use for Cloudron, because only those apps that are "ready" are in the App Store (and even then some are labelled as Unstable)! So, can that be tweaked to let a SuperAdmin make visible only those apps being offered?
I'm babbling on now. Time for bed.
EDIT: I guess the same ability to tweak (using APIs?) could also make the SuperAdmin visible or not in the Admin's Dashboard User list; or hide it from the users in the User List.