Over the past year Microsoft have released Sites.Selected permissions for both Microsoft Graph & SharePoint which can be given to an Azure AD App (App Registration). When created the app by default with Sites.Selected permissions does not have access to any SharePoint sites and has to be explicitly added added using Microsoft Graph or PnP PowerShell (Grant-PnPAzureADAppSitePermission) to the site(s) to be administered. Both processes only give the access Read or Write permissions to the site and not Full Control.
Today quietly Microsoft released a SharePoint Azure AD app registration permission level Sites.Selected. This allows PnP PowerShell cmdlets and CSOM to be used using SharePoint application permissions to a specific site(s). This is independent & different to the Microsoft Graph permission level Sites.Selected.
Testing out the new Microsoft Graph permission level Sites.Selected which allow an app access to just specific SharePoint site collections rather than all.