If the single Cumulocity user used in your backed has global access to Inventory, any potential user could see & manage devices they shouldn’t if you are not handling that in your backend code. Also it’s kind of bad practice to store credentials somewhere to access C8Y.
If both users have global access on Inventory and also identical permissions, it doesn’t matter so much (but I doubt this is the case for all users in your case).
The backend should ideally use service-users with permissions which are defined in your application/microservice manifest or forward the user credentials / session of the user to authenticate.