MSC4195 says:

An access control policy should be applied based on the result of the OpenID token validation. For example, access might be restricted to users of a particular homeserver or to users with a specific role.

AFAICT, as of 7880124, that's not implemented. It'd be nice if it was.