Currently, the basic idea is that you have an organization and any member of your organization can use the apps you build there. So, in your case, your organization might have 3 people (you, your associate, and his assistant) and then you'd build the apps for each of them to use.
Since an app is similar to a single web page, you don't necessarily need to create an app for each portion of the project but if you'd like to cleanly section off the different parts of your project it can certainly be useful. Creating smaller apps can also help increase performance.
That being said, if you'd want to restrict access to those apps, you'd need to be on the Business plan or higher. This has come up as a pain point for a number of folks (see this thread or this one, for a couple of examples) and is something the team is taking a look at.
While you can't restrict app permissions on the free plan, you can set up your resource connections to have user-based authentication as @ScottR mentioned which can provide some security.
Let me know if that makes sense!