2.2 No sensitive data should be stored outside of the app container or system credential storage facilities.

This says it's ok to store sensitive data in the app container outside of cred storage or memory.

But 2.13, 2.14, and 2.15 really suggest NOT putting sensitive data anywhere not in memory, not encrypted, or not in the keychain.

So I suggest drop the "app container" part of 2.2, it's misleading.