Segregation of data

Hi, we have a local instance of Grafana running on our server. We have several dashboards which all get their information from a cloud IoT platform. The datasource plugin is Grafana Infinity Datasource. We query JSON data using HTTP GET requests. There are no database queries. All of the HTTP request are of the format:
https://[cloud IOT url]/user-specific-endpoint?key=XXXXXXXXXXXXXX&dashboard=d1&panel=p1&queryparams=XYZ

We can filter at the cloud end by __org, __user, and any other identifying info Grafana is able to provide. We can also set a specific key for each dashboard (or even each panel)

My question is - if we prevent user A from accessing dashboard B, and assuming the mentioned filters are implemented at the cloud end - how secure can we say the information served to dashboard is B is from user A?