I wish more were documented about app access. As far as I can tell, this is the only Atlassian doc on the subject:
Even if there were more/better docs, it is an area that is undergoing some change right now. There are a couple recent RFCs dealing with app permissions from various contexts:
Perhaps the larger concept to understand is the overall shared responsibility model: