Sharepoint - App in app catalog only available in specific sitecollection

Alternative 1

Your App Catalog site can be configured at web application, NOT at site collection level. Since an App Catalog is scoped to a web application, all apps that you want to make available have to be in the App Catalog site for that web application, and eventually to all site collections under it.

However, you can have more than one App Catalog site and create a separate App Catalog in another web application and move specific department site collection there.

Assuming you're on on-prem SharePoint environment, the aforementioned configuration could be done

Updated

Alternative 2 With the help of deployment UI and filtering, you can specify which specific site collection you want your app to be installed on, too. This method is effective for both SharePoint-Online and On-Prem

I found out that a user needs read rights on the app catalog to be able to see the app in "Apps from your organization". This also applies to the list item in the app catalog. So I stopped the permission inheritance on the list item for my app in the app catalog, and only gave specific users of my sitecollection read rights on the list item.

I still can't prevent that those users with rights install it in another sitecollection, but at least not every user can install the app in his sitecollectin.