Hi @Steve 4848
There are no folder-level permissions, only file-level permissions. I'm not sure if the Files.ReadWrite.All permission you are granting is a delegated permission or an application permission, if you are granting an application permission then as far as I know there is currently no good way to restrict it to a specific file, but you can restrict which Site collections (drives) can be accessed as detailed here: https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/.
If you are using delegated permissions, then granting Files.ReadWrite is fine from a least privilege security standpoint. The Files.ReadWrite permission also has full access to the user's files and allows the app to read, create, update, and delete the signed-in user's files.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.