Depending on how you distribute or publish your apps in QV Server you may have two main scenarios:
You don't have publisher and select one or server folders to be shown on the AccessPoint. This way, all users that logon the AccessPoint will see all the apps that are located in the folders that were selected to be shown. However, and even if every single user can see all the apps, whether he/she cand enter and interact with the apps will depend on permissions that the app(.qvw file) possess
You use Publisher to reload and distribute your apps. This way you have to define in every distribution task which users are allowed to see and interact with the apps, so when a user logs in the AccessPoint, he/she will only see those apps that were distribuited to them.
Based on this I think your case belongs to the first scenario and you'll have to define at file level ( Windows Security Properties) which users are allowed to interact with each app, but you won't be able to hide those apps that they don't or won't be able to use.