Do you mean I can set a default app for all users, where all private KO's are automatically saved? This would be a workable solution for my problem. How would one do this?

The reason I want this is rather complex. Suffice it to say that it is important for me that all KO's that are necessary for the functionality of an app (such as saved searches that fill lookups and summary indexes) are within the app directory; not in etc/users/apps/*.

Hi,

this is how you set app as default app https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/ConfigureSplunktoopeninanapp

Just create new role e.g. "security team", create a new app in splunk web with barebone temple an name it "security team" than go back to your new security team role and set as default app "security team" app.

This does not seem to work. It sets the default app shown upon login, but if I for example save a search from the Launcher app with a user whose default app is Search, the report is still saved as a private search within the Launcher app, not the Search app.

Thats correct, its not "preventing" the user BUT its "help" the user to start off in the correct app/context. The rest would be education of the user and tell them not to save staff outside there team app.

You could also eddit the permissions for search and launcher app from everyone to admin only, and the user is not able to leave the team app

Ik do not want to restrict users from viewing most apps, just prevent them (and even the app developers) from saving private KO's in them.

KO are private shared as default, so I can´t think about an easy way to get there..

maybe something custom.