A token is not the same as identity. A token is linked to an OAuth application, which in turn has specific scopes. Therefore, a token can be viewed as an API key with a certain permission scope. A token can’t be used for another OAuth application, or for a scope that wasn’t explicitly permitted.
Also, when a Power BI user, for whom a token was issued, changes the account password, all previously issued tokens are immediately invalidated and become useless.
As with any other connector, sharing a Power BI (or any OAuth connector) represents a risk, because a connector is basically a set of credentials. Resetting authorization can be required before copying. But again, it’s not different from any other connector.