Change Privacy (GDPR) so only Super Admins can toggle this
The feature in Mobile 8.5 where you can show/hide apps installed on devices should be a feature only Super Admins can toggle.
In order to prevent Helpdesk and Admins to toggle this and thereby be able to see private apps installed on private/BYOD devices, should be limited to Super Admins (=DPO). This would make this feature more GDPR compliant.
This idea is related to this issue: https://ideas.sophos.com/forums/143212-sophos-mobile/suggestions/4978427-hide-the-display-of-apps-for-user-privacy