TL;DR: apps should run on moons and their access to each other's data managed by a server running on your ship.
Right now, an "app" on Urbit is more like a desktop environment. Apps have access to all of your data, and manage your interaction with your Urbit. Basically, the TempleOS security model.
But in the words of ~wicdev-wisryt, Urbit is eminently securable (X).
Other proposals have been proffered, typically requiring a VM application to run on top of Urbit, which you would run apps inside of.