Questions about app specific passwords


first of all: A great thank you to all developers for this great piece of software!

I am a little confused how app specific passwords work.
For the following: I don’t use TOTP at the moment.

I want to use app specific passwords for 3rd party calendar apps, where I don’t what to enter my user password. So I’ve added a new password, gave it a name and in addition I’ve uncheck “allow filesystem access”.

My understanding: The app-specific password is now, after a first login of the app using the new password, limited to be used with this instance/installation/id of the calendar app. So the password cannot be used to login with any other app or the web frontend. Also, the app cannot access my files stored in nextcloud.
Is this how app-specific passwords work?

I am also using Rainloop with pre-provided email and imap-password in personal settings for each user.

Is there any chance that the calendar app specific password is used to access mails through rain loop?
Let’s say the calendar app has a backdoor and not only syncs to CalDav but also uses the app “rain loop” to access mails e.g.?

Thanks in advance