There does not seem to be any granularity in the services granted to paired bluetooth devices. Once paired and trusted the remote party has full access to all the services on the N900.

Don't pair with any devices you don't want to grant full access to the device.

On the flip side to that, access to the file system from the FTP profile is gated by symbolic links in the directory if you wish to restrict access to specific files you could remap these links to 'safe' directories and copy files in/out of them on the device as a separate operation. Note that by doing this you will change the behaviour for all paired devices, don't mess with these links if you rely on the bluetooth FTP profile.

A smarter solution would be to have a custom FUSE module added to the kernel mounting a virtual file system at the obex-root directory. This could then configure the access based on the connected device. Something for brainstorm maybe.

This, of course, does nothing to counter the fact that from a trusted device your audio could be hijacked and all of your contacts/calendar events read via Nokia PC/Ovi Suite. Don't pair with untrusted devices.