Agree with Sandeep.
I just verified the same in our internal tenant and they are not associated to the same catalog and hence you may apply restriction by the business roles assigned to the business users.
Here is what you can do, go to the app, 'IAM Information' and compare the application by the business roles and business users.
You will be able to identify which business user has access to which app and can modify roles accordingly. Attached is a snippet from the 'IAM' app.
Hope this helps!
thanks! Amith Nair