A service principal object is the local-tenant representation of an Azure AD application (app registration). For the purposes of this discussion, you can think of them as the same thing. The difference in permissions is a direct result of the authentication method used.
If the app/service principal is authenticating via the so-called client credentials flow (via client secret or certificate), it runs without an associated user and effectively gets unrestricted access to all resources in your tenant, subject to the granted permissions of course. This seems to be what the PowerBI folks refer to as "service principal" scenario.
If the app/service principal authenticates via the so-called public client flow, there is always a user element involved, and the resulting permissions are the subset of permissions granted to the user and the app itself. Thus in this scenario, the app will never be able to access anything the user does not have access to.