As an enterprise or management tenant, we are currently able to allow/disallow subtenants to upload microservices by subscribing/unsubscribing the microservice hosting feature.
It would be good to have something similar for the web applications, since an enterprise tenant might not want the subtenants to upload their own apps or overwrite the apps of the enterprise tenant.
This would also be kind of an security enhancement as in theory a bad admin of a subtenant is currently able to replace one of the default apps with a custom one. Within that custom application he could send the credentials that are used within the login process to e.g. an external service to gain access to the credentials of the other subtenant users.