Well, it should be no different then with other runtimes, like Rails or maybe a PHP app.
`node` is a binary file, and when you run it, you run it as a certain user. This user can access some files on the system, and is blocked to others. Likewise, other users can access certain files owned by this user, or can be blocked from others. Typical program like any other.
If you want to isolate a Node app on a, say, typical linux system, you would run the Node runtime with a separate user, created just for the app. You would protect it's home directory (or wherever the app is served from) so that only that user (and possibly autodeployment etc scripts) can access it. If you want to protect other places on the system, do not let your app user (or node user) access to that folder.
But those are simple use cases. Seemingly more complex solution would be if you "dockerize" your app - put it in the docker container. The app is then, well, contained. Permissions are much more restrictive, depending on your setup. And you get other benefits - streamlining deployments, testing etc.
The best part of dockerizing a node app is that it's super simple. You learn it in one afternoon, you practice maybe a week and you are good - new skill acquired, new levels of complexity that actually simplifies stuff for you reached, new options open. And it's applicable to more then just node, you can then dockerize other stuff too - database/cashing systems, file systems, nginx and whatnot.
Take a look at one of the tutorials available online and see how it goes.