Restrict variable visibility to specific jobs in pipeline

I have a merge result pipeline that uses Kaniko to build and publish a new tag for a Docker image to the project’s container registry. In order to avoid overwriting existing tags, I have an initial job that uses the container registry API to check for the existence of a tag first.

Since the CI_JOB_TOKEN cannot be used to access the container registry API, I have to create and use a project access token to do this instead. As far as I can tell, that needs to go in a CI/CD variable, which means it is available to every job, every image, every script and program in the entire pipeline. The project access token can also remain valid indefinitely, it’s not a transient piece of data like CI_JOB_TOKEN, which compounds this.

Is there a way to restrict such a variable to only certain jobs that are “opted in” to receiving it?

Platform information: using (EE/SaaS) 16.3.0-pre.