Yes @Athina for me this is correct. The important point is that it is not enough that user B authorized the application to read data, It is also mandatory that user A has also rights to read B data. Both are necessary, which is what make it safe.
Knowing that there is a way for an application (I think, this is my experimentation … ) to get around apps permissions, but this is a back door / bug I guess : An application can easily get around apps permissions