I guess you could compare it to data in an OFBiz repository.
In my experience access to the OFBiz data is not only based on the user credentials sec, but also on the mapping between the user and the CRUD functions defined in the application. The same is with workspaces, if I understand it correctly. They provide viewpoints to the content stored so that you can maintain multiple reference points to the JCR content.
E.g. a user can have rights to FICO to store invoices and agreements. But another user, with only access to, let's say CRM, would need access to FICO to view the invoice and/or agreement. By defining a new reference point to the content through the CRM workspace he/she could also have access to that object. Workspaces can then be used for cloning, merging and updating.