We want to start investing a lot in custom connectors inside our Power Platform to be used inside Power Apps & Power Automate. but we have a concern if using those custom connectors which will integrate with external systems can pose any security holes.

Currently we will be using those 3 security types (Basic, API Key & OAuthn 2.0):-

we would assume that ONLY if the user has the username/password then the user should be able to integrate with the external API using the username/password (in case the custom connector is using the basic authentication). Same applies the API key, so ONLY if the user has the API key then the user should be able to integrate with the external system (in case the custom connector is using the API Key authentication). And same thing applies to the OAuthn 2.0, so only if the user has the permission on his/her username the user should be able to use the external API??

so are our above assumptions correct? or users will be able to use existing connectors and connect to the external APIs? for example let take this scenario; ManagerABC who have the API key create a power automate flow or Power Apps and define the API key for the custom connector. then can any user create a new Power Automate or Power Apps and reuse the custom connection and get to the external API even if the user should not have the permission to do so?