Currently, the Microsoft Graph API does not offer a more granular alternative to Application.Read.All for restricting access to only the permissions granted to a specific application. The closest solution available today is filtering results by app ID in your API calls, as you're already doing, but this does not prevent broader access at the permission level.
Consider assigning a dedicated managed identity or creating a separate app registration for each application. This approach isolates permissions at the app level, minimizing risks of accidental exposure.
If feasible, you can create a custom API or proxy layer that interacts with Microsoft Graph on behalf of your app. This API can enforce stricter policies, such as ensuring that only data for the specific application is returned.
Hope it helps