A simple way to think about a mashup is as an extension of the particular Qlik Sense application you have embedded. If a user does not have access to the application inside a stream they will not be able to view the objects inside the mashup either.

This concept can also be extended to the licensing of a mashup, the same access rules seem to apply with a mashup as they do to a Qlik Sense app.

Note: It is also good to remember that with this basic level of access permissions any user will still be able to see the layout and non app object content, for example any html and css layout that the mashup has will still be visible. If you want to protect these as well you will need to look at some other options for securing the resources.