Hi Menelaos, yes, it's somehow possible - the token is always generated on behalf of specific user in your gooddata organization, so it inherits the permissions of the said user. So you can either provision separate user in GD based on users in your app, or at least have some shared users divided based on permissions.
Other than that, this scenario is definitely possible and there shouldn't be any major obstacles.