The session$user is set by RStudio Connect and Shiny Server Pro and made available in your Shiny application regardless of the authentication method or access controls for the application.
Some examples might help this make more sense.
Let's first assume your Connect-hosted Shiny application permits access to anyone - without requiring login. You could use session$user to determine whether or not you want to show corporate branding (your logged in users are part of your company and get no branding; anonymous users are external and get branding).
Next, let's assume your Connect-hosted Shiny application permits access only to two people (configured in the RStudio Connect dashboard): Harris and Aron. When session$user == "harris", you show additional UI because you manage that app. When session$user == "aron", I get a very basic UI.
If an anonymous (not logged in) user attempts to access a Shiny application that requires authentication, they will see that they do not have access and are prompted for login.