Sort of. This works the same if the app is deployed to etc/apps via Deployment Server as well:
Search heads will read authentication/role information (authentication.conf/authorize.conf) out of apps in etc/apps
Search heads will write any changes made to their etc/system/local - which will have to be manually synced with the app in the pooling area or in Deployment Server - and this overwrites any equivalent settings in etc/apps
Also, keep in mind: every server will need its own hash of the Bind DN password (if using LDAP) in its etc/system/local.
If all servers happen to have the same $SPLUNK_HOME/etc/auth/splunk.secret file, you don't need to have independent bindDN hashes. But be aware that changing out a splunk.secret file will require changing any other files hashed with that file to match.