Access of a cloud app is limited with intersection of scopes requested & granted when installing an app and permissions assigned to app user in usual permission schemas of projects. For every cloud app, there is a corresponding user and you can assign remove permissions from this app user just like any other user.
Lets explain with an example. Issue Reminders app requests read:jira-work for able to check resolution & status field of issues before sending a reminder. You may think that, when this permission is granted, app can access to all issues, but this is not the case. The app user should also have “Browse Project” permission for the issue. If an issue is restricted with “Issue Level Security” restrictions, you should also add this app to list of users who has access list of “Issue level Security”. For this app, special user is “RemindersCloud” user.
Here is another example. When configuring add-on’s settings and during reminder creation users are allowed to choose a group from “group dropdown”. For this add-on to able to select users and groups you should give “Browse users and groups” global permission to “Atlassian-add-ons-admin” user group.