Let me clear up a few things:
- It doesn't matter what user creates the API key in terms of access to Podio data. The API key is solely used for identifying the client/application connecting to the API.
- When you use server-side authentication, your external application has access to the same data (workspaces, apps, tasks, etc.) as the user has on Podio.com. No more, no less.
- When you use app authentication flow, the user of your external application has access to everything in that app, since you are authenticated as an app, not as a user.
If user B cannot access the Clients app on Podio.com, I can assure he cannot access the app through your external application either, if he is logged in via server-side authentication, that is, logged in as himself.
So either you have confused what user you were authenticated as at which time, or you have been using app authentcation, which provides full access to the app through your external application.
Username/password authentication works just like server-side auth in terms of access - the difference lies in whether the user has to enter his credentials in your external application or at our site - and we definitely recommend the latter for security reasons.
To answer your question: You should use the server-side authentication to make sure that users can't see anything they cannot see on Podio.com.