Authentication with regard to embedding depends upon your own application in which you are embedding Metabase not Metabase itself... At least that's the way I understand it. And no, embed users cannot directly access the Metabase application, they do not sign-in to Metabase at all, they sign-in to your application in which you have embedded a Metabase Question or Dashboard.
Here are some links to embed security discussions on GitHub that may interest you:
GitHub Issue #8111, #9494, GitHub Pull #7817
Some time back I inquired about adding users to Metabase programmatically with a view to having embed users sign-in to Metabase itself to use embeds so as to take advantage of Groups but quickly put it on the back burner when I realized it doesn't work that way, that's not the way Metabase handles embeds out of the box, it would take some custom coding in clj and your own application to do it: