Can I make sure that a shinyapps.io user is not able to get an unauthorized connection to other data in the R session?

Shiny shouldn’t be exposing any information across users, unless you tell it to.  You have to be aware of scope of variables and manage that appropriately.