Why is GATT attribute security required to be enabled for passkey to work?

Why? Because if the permissions are open there's no encryption required so no need to encrypt the link at all so no need for a passkey because you're not encrypting.

I see. That is why the Android app does not prompt for a passkey when security is set to open even if peer manager is running.

yes peer manager has nothing to do with it. The central reads the attribute, if it gets back an error INSUFFICIENT_AUTHENTICATION (or is that authorisation, I never remember) then it starts the encryption process, else it doesn't bother.

Do you mean I need not run peer manager in ble_app_uart and the passkey feature will still work if I use BLE_GAP_CONN_SEC_MODE_SET_ENC_NO_MITM?

don't know why you're finding this so hard. You don't 'run' peer manager, peer manager is a piece of code which responds to the encryption request/response callbacks from the central and sends the responses required to encrypt the lik. So you need to build it into the app and feed it ble events so it can generate the correct responses when the central starts the encryption process. What however STARTS that process is your app responding to a characteristic read with an error that the characteristic can't be read without encryption, it does that because the permissions on the attribute are set not to be open but to require encryption. So you need both, attribute permissions to get the central to start encryption, peer manager (or your own version which does the same thing) to handle the callbacks which result from starting it.