I’m a member of the “One app unless you can prove otherwise” camp.
Just starting out, I wouldn’t worry about trying to divide your application into multiple “apps” - it’s not worth the hassle if you don’t need to.
Security is applied at the view layer, not at the app layer. It is each view that needs to decide whether to grant access to a request being made.
Whether you need to create a custom User model is a different question. There is a really good case to be made that if you ever think you’re going to need a custom user, go ahead and implement it at the start. See the docs at Customizing authentication in Django | Django documentation | Django
Question: Have you worked your way through either or both the Official Django Tutorial or the Django Girls Tutorial? I recommend them to everyone getting started. They really do help.
The idea of using several apps started because we are migrating multiple Flask apps, which are completely unrelated to Django. We are doing so because we wanted to manage security and user access in just one site. Honestly I thought it would be possible to deny access to certain urls, so that was other reason about creating multiple apps (so only users with permissions to access app1 could access mysite.com/app1/... routes). But I think even having to apply security at a view layer, it would be nice to have the code of each app in different folders.
I will have to read the Custom authentication link, and probably will follow the Django Girls Tutoriala also. Then I will probably come later if I have any other doubts
Just a couple more thoughts for you to keep in mind:
Django != Flask: If you try to apply the mental-models learned in Flask to Django, you will likely end up confused and frustrated.
Apps != urls: There are no requirements forcing apps to have different url paths, nor are there any requirements or restrictions forcing all views in one app to reside within the same url path.
urls != views: You can have multiple urls calling the same view.