First, I think the reason that tools like CCleaner are asking for extra permissions on a Windows Server is that the changes it makes apply to ALL users on the system. Since multiple users are logged in (or are able to log in), it makes complete sense to me that it would require elevation. Same thing with Fixit Reader - you are changing a system level default hence you'd need to be an admin. So to me, those elevation requests are expected and required. Now on a desktop workstation, you can only have a single user logged in at any time, so there is little risk of hitting permission issues when changing defaults or cleaning stuff. On that note, I haven't used CCleaner in YEARS on my systems and I would refrain from using it on a Server system as I don't trust those automated cleanup tools on a server environment. They USUALLY are not designed or supported on a server environment and if it kills the server, you have no support to fix it. On top of that, when the tools ARE supported on a server environment, it usually comes with a license that needs to be purchased.
On top of this, a server system has different permissions set on folders than a desktop workstation. Due to this, it could be CCleaner is asking for permissions to a folder where elevated permissions are required on Server, but not on Desktop.
With point number 2, you said that it was with "Existing" users, and I was saying to try with "new" users to that system. The reason being that you could verify then if the default user profile has the appropriate settings. If it does, a solution to this problem could be to blow out the user profiles and have them re-created from default. As a random thought - are any of the users logged in to the server at the same time as trying to run the remote apps? Having 2 sessions open at once may be causing some hiccups. That is also another fun thing - if you RDP into the server AND start a remoteapp session, that will use 2 CALs, so you will need to watch your licenses.
As for it being a user profile issue, I still don't see how either of your examples rule that out. The scenarios you have tested are:
existing non-admin user
existing admin user
Scenarios that were not tested:
new non-admin user
new admin user
If an existing non-admin user has issues AND has a registry value set incorrectly in the HKCU section of the registry hive, that setting is going to persist no matter what you do UNLESS you change or remove the bad setting. If the admin user doesn't have that setting set in the registry, it may be that things work as expected.
Now how that value got set, it may have been by accident, could be intentional, could be to fix a different bug, could be a bug that existed when the user first logged in (in the default user profile) that was corrected in a patch to server 2019, could be cosmic radiation flipping bits on the drive... Creating a new user would result in a fresh copy of the HKCU registry hive being copied from the default user profile which could result in the problem being "fixed".
Having no issues with regular RDP doesn't mean you have no issues with remote apps. They are the same protocol, but different implementations.
With point number 3, the part that I find terrifying is that you have regular end users logging into a domain controller. A domain controller should be a locked down system with very few people having access to it. I would never let a regular end user log into a domain controller, but that is just me. My work environment we have roughly 10 people in the company of over 500 that have permissions to log into the DC's and I am not one of them. On top of that, I would not want additional tools (like an ERP system) being installed on a DC. Auditors are likely also not going to approve that setup and are going to request that you change it.
As for setting up RemoteApps with the overhead of IIS, IIS is not actually required if I remember correctly. I was just double checking my setup and it is an option, but it isn't required. It is only required if you need RD Web Access.
I set my system up with 3 servers - 1 load balancer and 2 application hosts. None of them have IIS running right now. I installed IIS as I thought I may want to do RD Web Access, but it is disabled as we haven't had a need for RD Web access.
I personally like having all of my computers on the same domain in the network as then I can access the computers by their friendly name rather than needing their FQDN to access them and worrying about odd firewall rules and/or VPN to access the servers. I also like having an AD server for a centralized authentication protocol.
I do agree that RemoteAppTool is MUCH easier to configure and maintain than the Microsoft approach, but if I am paying for support on a tool, I would much rather use a supported method for a task. That way I can reach out to the software provider and get a solution rather than reaching out to the community and crossing my fingers someone has run across this issue before.
On top of this, if you set up a remote app server natively, you can have a lot more configuration options and restrictions and load balancing. If you only have a single server for your ERP and it dies (ransomware for example), you are relying on the backups. We had ransomware hit one of our servers and it sat idle for about 6 months before it encrypted everything that user had access to. Restoring from a 6+ month old backup was unreasonable. Our solution - shut off the VM and remove it. We had at that time 6 servers set up with a load balancer, so having 1 go down was annoying, but we had 5 spares.