When exporting to Powerpoint, the first page contains an auto-generated link for the user to "View in Power BI".
I had assumed that this link would just direct users to the original report, where any report specific permissions would be applied. For example if a report is restricted to just 5 users, anyone else would not be able to access it even if they had the Powerpoint file with the link in it.
However, a Powerpoint generated from Power BI has been forwarded on to someone else in the organisation who did not have any explicit access to the original report. They were able to click on the link and view the report in Power BI Service, including some pages containing sensitive data which had been deleted from the slides that were circulated.
This example leads me to suspect that the default behaviour of the embedded link is analogous to the "Share with people in your organisation" option when generating a link from the report itself, i.e. that anyone with the link can view the report.
Is anybody able to confirm that this is the case? If so it is far from ideal that the default behaviour of this link, which appears whether I want it to or not, is to override any security that has been applied to the report, without flagging this up to the person exporting the report to Powerpoint.