You can limit the apps available to the user through coding the constraints in the .NET project.
As far as section access goes, its a good question. It should apply as a userID gets sent through
the connection and what applies to them using Qlik in the normal channels should be the same
through the API functions.