The topic space in which devices and applications operate is scoped within a single organization. The IoT Foundation uses the org ID to isolate topics so data from one organization is not accessible by another. Is that what you are asking or do you want to specifically prohibit applications that authenticate within the same org from publishing to a topic within the same org space?
Speaking in terms of applications and devices, are you wanting applications to only be able to subscribe to topics (events) for devices, rather than publish to topics (commands) for devices? Also, do you want to control which applications can work with (publish / subscribe) to a certain set of devices?
