Microsoft Graph uses application permissions for background services. For Outlook APIs, application permission Mail.ReadWrite grants access to all mailboxes.
Is there a way to restrict access to a particular mailbox?
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
No you should use delegate access in that instance and the Mail.ReadWrite.Shared grant which will give access the Mailbox of the Owner and any of the Mailboxes Shared with that users (eg they have been delegated access to).
I agree what your talking about would be a nice feature being able to opt out of Application permissions for certain mailboxes/users etc is a requirement that comes up but the ability to do so doesn't exist. One way to mitigate that is with logic on the server side eg force the application to check a group before accessing Mailboxes etc and make sure auditing is switch on so you can catch any malicious use of the tokens and credentials.
This is now possible according to Microsoft Docs.
Some apps call Microsoft Graph using their own identity and not on behalf of a user. These are usually background services or daemon apps that run on a server without the presence of a signed-in user. These apps make use of OAuth 2.0 client credentials grant flow to authenticate and are configured with application permissions, which enable such apps to access all mailboxes in a organization on Exchange Online. For example, the Mail.Read application permission allows apps to read mail in all mailboxes without a signed-in user.
Administrators who want to limit the app access to a specific set of mailboxes can use the New-ApplicationAccessPolicy PowerShell cmdlet to configure access control.
