That is correct. The documentation is accurate: an app can’t use that rest API, even if it is impersonating another user.
If you want to make that rest API call on behalf of another user then you can request that they provide you with one of their identity tokens: Atlassian account
But that’s nearly as good as asking them to give you their password: so make them aware of that and be secure with that data.
Can I ask why you want to be able to manipulate users? Have you read my comment here: Create JIRA user from Connect add-on via REST API - #3 by rmassaioli