The solution you propose is pretty much the current spec: You can specify which apps can be used to work with a resource by adding it as a trustedApp. So you could create a /my-app/ folder and the user could grant you Control permissions for it.
But…
- as pointed out in this thread, this currently can be bypassed by sending the authentication tokens to a server
- it’s considered experimental in the spec and it’s just been pointed out once again that it will be updated
- it’s not very Linked-Data and interoperability friendly to put every application into it’s own sandbox. A more linked data like approach to permissions could also be interesting imo (maybe permissions based on shapes? Idk if that makes sense, but something more into the direction of “access to my music” instead of “access to my music folder”)
So if you want you can give trustedApp a try, but from my perspective it’s only a short-term solution