App-specific restriction of WebIDs

In one imaginary scenario, User1 has a POD. He/she trusts User2 to read his/her POD through App1. However, He/she does NOT want User3 to read his/her pod through App1. He/she does NOT want user2 to access his/her POD through App2, which is a different Application from App1.

Thus, Solid needs to know that the request, incoming to User1’s POD, is from User2 through App1. How this can be handled with Solid mechanism?