You are correct, that password should not be shared between separate user accounts or separate non-federated IDP accounts. However, a user can have a single password across services that use a given account (hence Single Sign On). For example, Outlook and macOS using the same account should have their password synced to match the password for that same account on the IDP.
MacOS is kinda the odd one out, as it still primarily uses local accounts and wants to be the top password authority. This is where Jamf Connect comes in, to make macOS play nice with IDP accounts. PSSO will eventually render Jamf Connect obsolete, but Jamf connect is up and running and fully functional today and PSSO is not.
