In the Javadoc for TableSnapshotInputFormat, we have this:
HBase also enforces security because all the requests are handled by the server layer, and the user cannot read from the data files directly.
The snapshot input format operates on HFiles directly, that's how it gains its performance benefits. No requests are handled by the 'server layer'.
Later the Javadoc correctly states the implications:
Note that, given other users access to read from snapshot/data files will completely circumvent the access control enforced by HBase.