Yes, each user of an add-on has to authorize it and the add-on runs with the permissions of the current user, who, in this case, is the effective user.
getActiveUser() is usually used in Apps Script web apps, not add-ons, deployed and running under the permissions of its creator (that way you can create a web app which doesn't ask any permission to end users while being able to identify them, especially inside a G Suite domain).
Within an add-on it should also be possible to use getActiveUser() to answer specific use cases (for example, if you want to track every time someone opened a specific spreadsheet, you could have an add-on for spreadsheets that would create an
Installable Trigger which would be able to identify, via getActiveUser() any user belonging to the G Suite domain of the user who set up the add-on inside this spreadsheet).
But in this case, getEffectiveUser() is the appropriate method and will identify the account currently using the add-on.