I have the same problem. I am working on an app to grant fine-grained permissions to other apps (https://sam.divoplade.fr/v). The source code is developed at https://sam.divoplade.fr/src.
If you want to implement the same thing, let me know so that we can harmonize our vocabularies.
There are two ways to get permission.
- have global acl:Control ;
- have a container in which the same acl:Authorization lists you as an acl:agent and the app as an acl:origin (beware, the solid ui will put these two in separate acl:Authorizations), and do all the controlling stuff in this container. You need to discard all other global permissions for this to work (your trustedApp object should just have an origin, no acl:Access).
Generally people will be very wary of giving up global acl:Control because then your app can lock the owner out!