External storage credentials, 'save in session', and desktop sync - how does this work?

I’m currently setting up a nextcloud instance. We are using LDAP and external storage using SMB, using credentials saved in session.

This is perfect since a) the user is acting with the proper account and b) their credentials are not stored.

The downside is that sharing isn’t available, but this seems to validate that credentials are not being stored. (How could it work, after all, when neither the sharee nor Nextcloud instance have the credentials)

But…

The desktop client sync works, and as far as I can see the desktop client only has an oauth token.

Could somebody explain how the desktop client is able to act on my behalf?