I think this can be summarized as follows; Httpd starts as root, changes to httpd user account.
AppDev user account is compiled-in to suexec as run-if-owner matches that user account. Suexec invokes AppDev's script with the appropriate userid of AppRun account in lieu of AppDev user. AppRun user has no permission to manipulate AppDev owned applications. Suexec will refuse to run applications owned by AppRun account itself.
