Possibility to restrict an App Password to one function?


Here, Nextcloud is at the core of my entire IT environment. Everything I have I put in my Nextcloud. For that, I deployed it (docker based) over professional server-grade hardware. I also have all my data in a FreeNAS server that I use to enforce the 3 copies rules (one main, one replica offsite and one offline backup). I test my backup / restore yearly and even more.

Because everything I have is in Nextcloud, I wish to do as much as I can to secure it. Of course, I did enforced 2FA on every accounts. One thing I would like is to restrict the Application Tokens that I created for so many apps.

Ex: Using Floccus for Bookmarks, 2DO Pro for tasks and IOS Calendars / Contacts apps
Is there a way to restrict the 2DO App token to Caldav only ?
Can I restrict the Floccus token only to Bookmarks ?
As of now, each of these apps have access to everything in my cloud account, including all my files, when they don’t need it.

Considering the least privilege approach has always been a very good one for security, how can I reduce the privilege associated with each token ?

Thanks for your. help,