It can be done.
First you have to disable default rule for stream which give access to all application and object with in App.
Then use Security rule for app access (You can use copy of stream rule on app) and add additional rule with app.objects as resource filter.
and following conditions.
(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.App.HasPrivilege("read"))