Can a Shiny application user get unauthorized access to other data in the R session?

Shiny shouldn’t be exposing any information across users, unless you tell it to.  You have to be aware of scope of variables and manage that appropriately.  Please see this article for details on object and data scoping.