App-access is orthogonal to user-access … and both are covered by the access control lists - either by assigning a webId to a server-side app or granting access for a browser-app through it’s origin header.
So apps do have an identity - either a real webId or their “origin” header.
Unfortunately the origin header check is not working (and disabled as I understand it). See Access control by origin header not working? · Issue #986 · nodeSolidServer/node-solid-server · GitHub - and also the discussion here Inter-app access control - #18 by JornWildt.
So, in principle, the server-side framework for app-access-control exists - but the UX for granting access is bordering between horrible or just non-existsing. There really should be some sort of nice user-friendly “OAuth dance” for granting access to your POD by specific app.
As it is now, any web-app you log-in with will be able to harvest or even delete all your contacts, photos and so on without you ever knowing what happend - maybe just by accident (programmer errors).