Feature Request: DLP Controls for App Registrations Using Sites.Selected to Prevent PII/PHI Exposure

We’re using the Sites.Selected SharePoint API to restrict app access to specific sites, which is a great improvement over tenant-wide permissions. However, we’re increasingly concerned about the lack of native DLP enforcement at the app registration level—especially for AI-powered apps or integrations that may unintentionally access sensitive data.

Does Microsoft offer any capability to safeguard against PII/PHI data transfer across the Graph API that can:

• Flag apps as restricted from accessing PII/PHI.
• Prevent apps from reading content labeled with sensitivity labels like “Confidential,” “PII,” or “PHI.”
• Enforce real-time inspection and blocking of Graph API calls that attempt to access sensitive data.
• Generate alerts and audit logs when apps approach or violate these boundaries.

If not, are there plans to introduce these protections?  Protection across all APIs is desirable, but currently our greatest concern are SharePoint APIs.