I think this bug already existed in 2.1.x and still occurs in 2.2rc1.post2.
If there is a page with an app hook (i.e. created by a superuser or a user with "Can change advanced settings" permissions) and the restricted user from above changes this page, the app hook gets lost.
The field "Redirect" is removed too.
The fields "ID", "Login required" and "Menu visibilty" keep their values.
I haven't tested the field "Overwrite URL".
Added test for #988
it seems only overwrite url was special cased, but 'redirect' and 'application_urls' need the same treatment.
Fixed #988 (and made the test slightly better)