Yes, an access token enables access to an account via the Dropbox API to the extent allowed by the app's permission. For this reason, you should never share or expose an access token for your own account to others users. Users should only ever have access to their own access token(s).
Given that your access token has been published, I recommend revoking it.
For the functionality you're looking for, you can instead have the users upload to your own server first, and then upload to Dropbox from your server. That way, the access token only needs to exist on your server, not exposed to the end-users.
Alternatively, you could use /2/files/get_temporary_upload_link (again from your server) to pass down a temporary upload link on the page so the file can be uploaded directly from the browser without exposing the access token client-side. (Note that this endpoint is still in preview though.)