External storage credentials, 'save in session', and desktop sync - how does this work?

I’m currently setting up a nextcloud instance. We are using LDAP and external storage using SMB, using credentials saved in session.

This is perfect since a) the user is acting with the proper account and b) their credentials are not stored.

The downside is that sharing isn’t available, but this seems to validate that credentials are not being stored. (How could it work, after all, when neither the sharee nor Nextcloud instance have the credentials)

But…

The desktop client sync works, and as far as I can see the desktop client only has an oauth token.

Could somebody explain how the desktop client is able to act on my behalf?

I have the exact same question and would love to see an answer to this.
I added an external SMB storage to my nextcloud with authentication “Log-in credentials, save in session”.
I noticed that my desktop-client, connected via token, instantly started to copy the whole SMB storage to my desktop-PC. I thought this was impossible because the documentation says “Desktop and mobile clients that use tokens to authenticate can not access those shares”.
I also noticed that I can access this external storage with the iOS-app of nextcloud on my iPhone.
I logged out of my account on the webpage and rebooted the whole nextcloud-server. My desktop and iOS apps still had access to the external storage.

How is this possible?

Is there anyone with the same problem?
Or are there users who use “Log-in credentials, save in session” and can’t access their shares, just as described in the nextcloud-documentation?

Normally, if something works that should not work, it’s no big problem. However, in this case, I am unsure how this works and if credentials are permanently stored on my nextcloud-server (and if this is the case, where/how are they stored and secured?)

I guess I will open a bug report if no one can clarify this…