I am actively using Engine-rest application for all rest queries from my application. Can I follow this approach or should I create my own set of REST api’s do what engine-rest provides? How can I secure the engine-rest to be accesses only from my application or admin user?
Using the prebuilt engine-rest application is perfectly fine. Custom REST endpoints make sense when you want to restrict or extend the number of exposed endpoints.
You can implement authentication by adding a servlet filter on top. The application ships already with an implementation for HTTP Basic Auth. Here is the docs entry that describes how you can activate that: https://docs.camunda.org/manual/7.8/reference/rest/overview/authentication/