The crucial defence here is that you can only call anvil.server.launch_background_task() from Server Modules (ie trusted code). So you can do your checks (eg require_user) in the @anvil.server.callable functions (which can be called from untrusted code), before launching the background task. Then the background task can trust its input (because your code will only launch it on behalf of users it deems worthy).
I hope that helps – happy to explain more, but if you have more questions we should probably take it to a new Q&A thread 