For apps accessing data on behalf of signed-in users (delegated access, authorized with delegated permissions), your best option is (like @Andy David - MVP mentions), to limit which users can sign into the app, which will limit which user's data (and data accessible by those users) the app can access.
For apps accessing data directly (direct/app-only access, authorized with app roles (application permissions) and other flavors of authorization grants and role assignments), you have some alternative authorization options, depending on the type of data being accessed:
- For apps accessing Exchange data (mail, contacts, calendar), you can assign the app access to only certain mailboxes: Role Based Access Control for Applications in Exchange Online)
- For apps accessing SharePoint sites, you can authorize an app to only access specific sites: Controlling app access on a specific SharePoint site collections
- For Teams apps accessing team and chat data, apps can request access to only the team or chat they're installed in: Resource-specific consent for your Teams app.
- For apps accessing directory data (users, groups, apps, service principals), you can assign some directory roles at the scope of an administrative unit (AU) of objects, or at the scope of individual objects. You can also make an app's service principal owner of a group, an app, or a service principal.
Note that many of these approaches require working with the app publisher/owner/developer, to ensure the app can still function as required.