Hello, when authenticating as an application all messages from all users can be read. This is why application access is considered highly privileged. Granular access rules will have to be implemented in your business or service layer code.
Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.