By default, application permissions are tenant-wide, you get unrestricted access to all resources you've been granted permissions for. It's usually best to run in the delegate permissions context instead, where the effective permissions of your app will be limited to what a given user can access.
That said, for the Exchange scenario application permissions can be further restricted as detailed in this document: https://learn.microsoft.com/en-us/exchange/permissions-exo/application-rbac