Limit scope of OAuth GitHub App to specific repo

From reading docs it appears it is not possible to ask for (and be granted) repo scope for a specific repository. Is that correct?

Is choosing a GitHub App instead of an OAuth GitHub App the best way to limit your scope to a specific repository?

The app I want to build will have permission to create new public or private repositories and commit code them. Understandably as the developer I’m nervous about this but as a user I would be very very cautious of such wide ranging access. It would be very useful to limit the scope one or a handful of specific repositories.