What we usually do is creating a custom user that has access to some custom APIs that do all kinds of tasks like initialization, submitting requests, calling Oracle APIs (like Inventory, Receivables, etc.) and other stuff.
The custom user only owns synonyms referencing the custom APIs, which in turn are created in the APPS schema.
Just tested, it's enough to grant only the top package (and not all underlying objects) if you give execute rights :-). So that works perfectly.