We've created a new "App" which is the first app so far in our solution. The idea is that a group of users will have access to this app only and they will no longer have access to the "main area" of the application. Some of the forms for certain entities will look differently than the others etc. (With "main area" I mean the "normal" area that exists by default more or less).

So, it was easy to give this group of users access to the new app because they have a particular security role and we've assigned this role to the app.

But now the question: How do we restrict this group of users to only have access to this app? That is, when they browse to dynamics they should immediately "land" in the new app and should not be able to reach the "main area" anymore. I feel that since the "default Dynamics"-app doesn't have this "Manage Roles" option I'm not sure what is the best approach to remove this particular security role from default app.

When you say "main area" it means "Dynamics 365 - custom". This is always accessible with url like https://xyz.crm.dynamics.com/main.aspx for everyone.

Under: Settings - Application - My Apps

It can be either hidden in Left navigation for all users excluding System Admin role or visible for all (unlike other apps).

As of today, the only way you can stop users accessing it is by train them to bookmark the app url like https://xyz.crm4.dynamcis.com/Apps/yourcustomApp to land directly & not the https://xyz.crm.dynamics.com to avoid confusion till MS enhance it.

Reference