In most (if not all) installation instructions for Debian Third-Party repositories you will find a sentence like this:
wget -O - https://packages.example.com/example.key | apt-key add -
This allows the package maintainers key to sign ALL Debian packages, not only the packages from their repository. I’m not sure why this is still so common when a more secure alternative exists.
Instead of adding the key to the global apt key repository, you can just put the (dearmored) version in the shared key directory:
wget -O - https://packages.example.com/example.key | gpg --dearmor > /usr/share/keyrings/example.gpg
After that, just specify the key in a
signed-by option for your repository in
deb [arch=amd64 signed-by=/usr/share/keyrings/example.gpg] https://packages.example.com/latest/ buster main deb-src [signed-by=/usr/share/keyrings/example.gpg] https://packages.example.com/latest/ buster main
Now the key can only sign packages for these repositories. This is effective since stretch according to the Debian Wiki.