I think the easiest way to implement this would be in two parts. It wouldn’t give all the features everyone is requesting, but it would represent something usable for most of the desired cases.
PART 1 (easy?):
We already have “tabs” (groups with view: yes). If Home Assistant provided a URL to a tab view with no sidebar, and no developer tools, this would, at least in the view, limit the abilities of that particular page.
Since the web interface actually calls the API, the entire set of devices would still be available, however, the view of them on the presented web page would be limited.
PART 2 (harder?):
Allow different API passwords for each tab view. The API calls would have to allow for more than one password, and if the master password was not used, the entity IDs being acted on would have to be cross referenced with the entities available to the api password as identified by the “tab”. Only a single level of permissions checking would be needed. If a tab has access to a script, but not a light, and the script controls that light then, through the script ONLY, that password has access to that light. An exception should be made for groups, where, if a group is part of the tab, the entities in that group would be included in the permissible entities.