You can attach a security group to a Client VPN attachment that you can use to grant network accesses. But this security group is shared for all users that connect via this Client VPN endpoint.
If you provide this endpoint for multiple users via Active Directory authentication you can defined more fine grained network access via these authorization rules. They allow you to limit the access for users with certain Active Directory group memberships to certain IP address ranges. You can find examples for such configurations in the user guide: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-working-rules.html#cvpn-working-rule-authorize
You should use authorization rules always, specifically when you want to have grain control to who can access what.
Let me give you an example, if you have 3 different groups of users, let's say: Developer Group, HR group and Admin Group. It is a best practice to attach different access controls or "rules" to each group, to limit which network they can have access to.
As I mentioned above, you should use it, but it is not mandatory. In this case, you can access your private resources because you have a route table associated to your client VPN endpoint that explicitly says that all the traffic targeting this X private CIDR, will be routed through the endpoint.
Hope it helps.
VPN client endpoint interfaces have public IP, how to remove?Accepted Answerasked 2 years ago
What is the relationship between the Client VPN Network Association and Client CIDR Block?Accepted Answer
AWS client vpn selfserviceasked 7 months ago
Does VPN Client endpoint really need authorization rules?asked 7 months ago
Unable to access internet from my laptop when I connect to a VPC using client VPNAccepted Answerasked a month ago
Why Can't I Associate Multiple Client VPN Endpoints in the Same Availability Zone?Accepted Answer
AWS Client VPN - Notification of new client connection to another AWS service (e.g. Lambda)?Accepted Answerasked 5 months ago
Client VPN Endpoint Authorization rules do not work as I intend toAccepted Answerasked 2 months ago
Client VPN Endpoint Creation - Not Detecting Client Certificate in ACMAccepted Answerasked 4 years ago
Creating Client VPN Endpoint failing through CLI and Powershellasked 4 years ago