If you include external content in a QuickSight dashboard (not matter if images or content via the custom visual content), users will be able to see anything that they are allowed to access within their browser. QuickSight does not apply any additional authentication or authorization mechanisms on top of them. Meaning, if you for example include content from your internal CRM system using a custom visual content and your users are authenticated via some SSO mechanism to your CRM system, they will be able to load and view that content within the QuickSight dashboard.
The same applies to content/documents stored in S3: As long as your end users are able to access it from within their browser, it can be included in a QuickSight dashboard. This content/document does not have to be publicly accessible. There are multiple ways how you can make them accessible in a secure way: You could, for example, make them accessible via an API that is secured with your companies preferred authentication mechanism.
I hope this helps to understand how the integration of external content in QuickSight works at the moment.