@WinTechie Thanks for reaching out. When you create an APIM with no custom domain, the base URL is the default hostname <apimname>.azure-api.net. And when you add custom domains to the API Management instance, the first custom domain added for the gateway endpoint represents the oldest one and will be the default base URL.
However, you can manipulate the base URL with the feature Default SSL binding. If you have a custom domain with the Default SSL binding option marked, it will be the base URL on the APIM settings section. This does not mean that it is the only domain you can use, but instead, you can use all domains added to the APIM custom domains section as shown below
The default SSL binding is a way to move the base URL between the custom domains. If no SSL binding is clicked, then the first custom domain added for the gateway endpoint would return to be the base URL.
Regarding segregating APIs based on the base URL, there is no way in the Azure portal to do that. If you are concerned about default certificates issues for the Gateway, you can check out the article How API Management proxy server responds with SSL certificates in the TLS handshake which describes more on that topic.
For any other questions, feel free to reach out. Would be happy to answer any.