You can set permissions for the block based on a visitor group. The visitor group can check the URL and see if it matches the site the block can be used for. Don't think there is a built in visitor group criterion to check the URL but that can easily be created: https://world.episerver.com/documentation/developer-guides/CMS/personalization/developing-custom-visitor-group-criteria/ 

I'd have been tempted to override the ContentTypeAvailabilityService to return just the content types we wanted but actually that approach of using visitor groups is a better and simpler one.

Interesting approach with Visitor Groups, I would never have thought of that.

Is it possible to do this directly in code? We have lots of blocks and several installations (dev, stage, preprod and prod) and we wouldn't want to do it manually for all these instances.

I'll check the ContentTypeAvailabilityService tips as well, thanks

In that case you could use a virtual role: https://world.episerver.com/documentation/developer-guides/CMS/security/Virtual-roles/ in place of a visitor group and assign that to the block model using the Access attribute: https://world.episerver.com/documentation/developer-guides/CMS/Content/Attributes/

You can implement a custom virtual role by inheriting VirtualRoleProviderBase: https://world.episerver.com/documentation/Class-library/?documentId=cms/11/1B4BB538 

Thanks for all the help. The customer ultimately decided to go the route of setting up virtual groups for each site and llimit the access on the blocks by editing it manually in EPiServer admin (no coding required). Still, I'll keep the other solutions in mind if it ever turns up again :)

Regards, Peter