Thank you for contributing to the Prismic community.
I'm not sure I've understood the question. However, if you ask if somebody who has access to the deployed instance of your application can access this access token that you store in environment vars in a platform such as Netlify. The answer is that they will be able to access it.
But if you mean that if you deploy your application in Netlify, for example, and some lambda user tries to access your website, then it depends on your implementation.
If you are making calls to Prismic on the client side, then yes, anyone will be able to see their access token and make calls to Prismic using it.
If use environment variables and all the calls are made server-side, then there should be no way for your end website user to get and use the access token.
Please let me know if that answers your inquiry,