How the app private data are protected in the since that no user can alter these data like app default configurations, user specific data like rating which cannot be altered by the user himself ?

it is all depends on the app private key? where is it stored ? is it accessible by the users ?

Private app data is encrypted client-side before being uploaded to Gaia. The private key used to do so is deterministically derived from your 12-word backup phrase and the application’s URL. The Browser derives it on sign-in and passes it to the application via the URL when it redirects the user back to the application. It gets stored in localStorage.

user specific data like rating which cannot be altered by the user himself ?

The users can alter their data, since they own it If you want data to be unalterable, consider writing it to the underlying blockchain.