Is it possible to create a “negative” ACL

You'll notice the "effective" comment that getfacl is throwing out at you. The issue is that permissions are calculating so that "app" isn't getting the write bit set. That's happening because the mask on the file is set to read-only. The mask is used to limit the amount of permissions that could possibly be given out on a particular file or directory.

An example of why you would want this behavior would be like if you knew the file could legitimately need different users/groups to have access to it but for some reason things were getting complicated with permissions and you wanted a way to say "Whatever the other default permissions are set to, whatever their group memberships are, or whatever recursive setfacl gets executed later on, DEFINITELY DON'T GIVE THIS OUT!" The owning user has a special status in the POSIX world, it has rights other users don't have, like the ability to be non-root and change permissions on a file and have its rights not be limited by the mask (which would be pointless anyways because of the first privilege the system gives them). This is why they still get rwx even though the mask is restricted.

To answer your specific question though: add the write bit to the mask on the file and try again as the john user.

here is a command line version of the above explanation, take note of how the "effective" rights change when all I modify is the mask.

The default ACL is the ACL that is applied to newly created files in that directory. It is also copied as the default ACL for subdirectories created under that directory, so unless you do something to override it it applied recursively.

The default ACL has no effect on the directory itself, or on any files that exist when you change the default ACL.

So in your situation you need to both set the ACL on the directory (for the directory itself) and set the default ACL (for files that you will create in the directory).