If you have pools foo, bar and baz and only want to see foo, you would do:
incus project create my-new-project
incus project set my-new-project limits.disk.pool.bar=0 limits.disk.pool.baz=0
incus config trust add-certificate my-certificate.crt --restricted --projects my-new-project
And now my-certificate.crt can only see themy-new-project project and that project can only use pool foo.