Read this article to know how safe is your users’ and company data during the installation of YAMM for your domain.
Difference between installation by Individual vs. Google Workspace Admin
An individual can install YAMM from Google Workspace Marketplace or Chrome Web Store page. During installation, the user will be asked for authorization of a set of permissions that are needed for YAMM.
As a Google Workspace admin, you can also pre-install and pre-authorize YAMM from Google Workspace Marketplace, for all users of your domain. Your installation for domain-wide use, is one-time and makes YAMM readily available for all your users.
You authorize and grant the same set of permissions as in an individual install, but you do it on behalf of all your users as well. So when the users want to use YAMM, they don't need to individually authorize it again.
Does your permission for YAMM allow it to have access to all your user’s data?
We cannot impersonate your users and retrieve their Drive/Gmail data, programmatically.
We can retrieve their data only when a specific user interacts with YAMM add-on. This behavior is exactly as if he has installed and authorized YAMM himself.
Is your company and user data at risk?
Unlike many other Google Workspace apps, YAMM doesn't ask to create a 'service account with domain-wide delegation'. So YAMM does not access to data of the users who aren't actually using the product.
Can I whitelist YAMM instead of domain-wide installation?
OAuth apps whitelisting is to specifically allow selected third-party applications to access your users’ Google Workspace data.
YAMM is neither a Google Workspace web application (it is an add-on for Google Sheets) nor does it ask for access to your users’ data (via domain-wide delegation of authority).
So whitelisting is not applicable for YAMM.