So it depends on the app - e.g., Google has domain-wide delegation where the workspace admin can provide service account creds that allow us to impersonate all users in the workspace and index all their files/email. During indexing, we determine the users/groups who have permissions file and persist that in the db. (It's not perfect, because Google Drive permission model is a bit complex, but I'm working on it.) This model is much simpler than doing per-user OAuth.

In general, the goal is to use an org-wide installation method wherever possible, and record the identify of the user we are impersonating when ingesting data in the ACL. There are some gaps in the permission-gathering step in some of the connectors, I'm still working on fixing those.