Hi Vera,
If a user has access to the AdWords / Google Ads account, they can use their login email to create their own OAuth2 credentials. Once they generate the said credentials, they can then include those in the request header. Their access to read and modify information would only be limited to that specific account if their login email's access is indeed only for that specific account.
However, if a user uses credentials that were created using an email address associated to the MCC account, then those credentials can be used to read and modify information of all the accounts under that MCC. I hope this helps and feel free to write back if you have additional clarifications.
Thanks and regards,
Peter
Google Ads API Team