Probably the closest thing these days is to use the cgroup match extension, together with something that makes sure separate apps are moved to their own cgroup. But that cgroup would be under a separate parent cgroup for each user so it's not ideal.
I expect NFQUEUE or some EBPF magic is a better way to do things - you don't want to be constantly adding/removing per-process iptables rules.
The owner module can control outbound communication by uid/gid. [1] There are no modules to handle things by PID AFAIK. This can however be accomplished by SELinux and Apparmor custom rules but that is a loaded topic.
Firejail [2] and Bubblewrap [3] can put limits on application capabilities and/or take away network access. Firejail has default policies for many applications, all of which can be overridden by user configurations in their home directory. Firejail leverages Linux Capabilities and AppArmor. For example, when I launch VLC even if it were configured to pull down album information, it could not. If one day they added default-enabled telemetry to VLC it would go nowhere.
A round-about and heavy handed way to manage communications by PID would be to isolation applications in their own VM or container and map the VM or container to a unique user or group.
https://linux.die.net/man/8/iptables
But was disappointed by the note:> NOTE: pid, sid and command matching are broken on SMP