In order to have access to 'cross-app' data, the user needs to belong to both apps.
However, a good way to manage the permissions is to make a new role for those 'limited' users so they can only see the bare minimum.
Add a bare dashboard too and hide everything else.
It might be worth setting up a 'group' to have all these cross-users belong to a group to more easily manage.
(Generally I try to keep everything in one application, and then manage the permissions all on one spot. Makes it much easier to manage and troubleshoot from the admin side of things)