When registering a SharePoint App on tenant level with Sitecollection permissions, all sitecollections can be accessed using an App-Only context in that tenant.

We have lots of customers who want to exclude some sitecollections to be accessed, for example those labeled in AD with a sensitivity label, or tag, or certain URLs.

Please make it possible to support this.
A good place to do this, is in the Azure Portal.