Each of these has slightly different requirements for the API calls being made.
In Passthrough mode, you must attach valid SAP credentials to each API request using basic authentication headers. Those credentials will be passed through to SAP and the call will be executed using those credentials (including logging all actions as being done by that user).
This mode allows you to use a 3rd party identity provider to validate that the caller has permission to make the API call, while using a service account to actually interact with SAP. The service account used is the account configured on the Connection in Connect (or on the SAP Cloud Connector, if applicable).
When using this mode, the credentials that were configured on the Connection (or the SAP Cloud Connector, if applicable) are used on every call. Typically this is a service account. All actions in SAP will be logged as being done by this user.
Since the Connect end points are available publicly on the internet, anyone can call any of the exposed APIs without needing to provide credentials.
We strongly recommend against using this mode, other than for special cases (ex. development).