You should be able to take advantage of a shared IPv4 for times when you need to access the App (assuming the request fits the requirements of shared IPs).
I think machines line up well with what you seem to be wanting to do. With machines, the App is a shell to contain resources (machines, volumes, IPs, etc.) versus a full fledge resource backed by Nomad. Everything flyctl machine does is backed by an API that you can also use directly.