And I want to be used as an opc server for the benefit of a third-party client who can contact me and receive tags, but I want to limit the tags he can see in a specific folder and not be able to see all the tags, but only what is in the folder.
The permissions are applied per device or per tag provider, nothing more granular than that. So you'd be able to make a Tag Provider with tags meant for external consumption and set up a role that could access only that provider.