...
When the user logs in to SharePoint a user token is created for this user.
The user token (together with some additionally required information) is then used to request an access token from SharePoint. Thus the access token is issued for this specific user.
The access token is then used for every request of data from the Confluence macro to SharePoint. That means that the response contains only SharePoint data that the logged in user is allowed to access.
...
How user permissions affect Confluence Macros
The user has to be logged in to both systems (Confluence and SharePoint) in one browser window while using the app.
...