I agree the WindowsApps folder is a nightmare for access control. Fortunately most of us are probably still using 95% desktop apps and not the Metro/UWP apps. Though with Win10 forced updates and migration slowly in that direction, reversing these will become more important. So I completely understand why you wrote this app now
.
Can a process with a high enough integrity level running as TrustedInstaller modify ACLs without the driver? I know process integrity level was added a while back and it tends to be weighed in access checks.