All of that is possible. There are two main mechanisms I know of for having multiple apps share logins.
One is in the configuration of the Users service, in the Login Options section. There’s a checkbox there that allows the app to share its login status with other apps that share the same Users table. Using that any apps that share the same Users table would share the same login status.
The other is to have a single app and partition it based on hash urls. This works when all the apps are part of a single domain. In this case you have one Anvil app and multiple pseudo-apps inside it.
Granting access to only certain apps is the same for both methods, have data in your tables that tells you which apps a user should be able to access. If they don’t have access to a certain app, they’d be able to login but have no other functionality available.