Why is it recommended to create a group and user for some applications
It is not to create one user and group per application, but per service.
That is, programs that are executed by a local user don't need
to be installed as a user other than root.
It's daemons, programs running in the background and that execute
requests coming through the network or other communication means,
that should run as a dedicated user.
The daemon runs as a dedicated user so that if it misbehaves
(due to a bug, probably triggered by an attacker) the damage it can do
is limited: only the daemon's data files are affected
(unless the attacker managed to find a local root hole, which can happen).
For example, the database daemon mysqld runs as a dedicated
user and group mysql:mysql and the data files of the database (/var/lib/mysql/*)
belong to mysql:mysql.
Note that the daemon executable and other static data and configuration files
that are used but should not be modified by the daemon must NOT belong to
the dedicated user; they should be owned by root:root,
like most program and configuration files.
The mysqld process has no business overwriting /usr/sbin/mysqld or
/etc/mysql/my.cnf,
so these files must not belong to the mysql user or be writable by the
mysql user or the mysql group.
If some files need to be readable only by the daemon and the administrator,
they should be owned by the user root and by the dedicated group,
and have mode 0640 (rw-r-----).