@dobey Looks like it should be possible with AppArmorDBus?
Since each collection in the secrets service has a path (https://specifications.freedesktop.org/secret-service/latest/ch12.html) and AppArmor can be used to enable only a specific path.
Then we would get something like the Keystore APIs on iOS/Android? With a nice bonus that with a system app for keyring access you would be able to look through the saved data of all applications.
I'll try making a policy later and make a PR/MR if it works.