Nothing to do with Tableau side. What ever user / password you are passing have all the rights on all the schema. Better way to keep data sensitivity, create an user which should have rights to the relevant data sources or schema with read only permission.
Best Practices: Since Tableau Desktop and Server are designed in same way so better is to have control on one hand or one team who should have rights to created extract and publish rights of extract on server with embed password.
And let other users to connect with published extract rather giving privilege on oracle.
Rest you are the best judge of your data and approach.