Secure "enough" really depends on your use case.
Security is often a tradeoff between cost, time, user experience on product side but also cost, time and gain on the attackers side.
I assume your app is kind of product. So from marketing side, do you need to write "most secure ecryption possible" on your product or just "state of the art encrypted data transfer" ? Does anyone care?
How much could an attacker gain from sniffing the data? How much knowledge, time and money would it cost him?
Is your product usually used in a home environment? Then an attacker would maybe need to wait and sit very long in front of your house to sniff data at all. Not so realistic. Is your app usually used in front of an ATM? Then an attacker would know where to wait.
And then even if an attacker was able to sniff the raw data, can he decrypt it? I agree with comments above: If you can ensure that L3 with ECC192 will be used, a successful attack is very unlikely today.
Is the encrypted data of any value if decrypted in 10 years or so? If yes, maybe additional encryption would make sense, but I see rare use cases for that.
Using RFCOMM or not has little implucations on the security I think.