How does Copado connect to Salesforce orgs? Does it connect through each user's own Salesforce user account, or does it use a dedicated service account for all Copado users?

You can do either. It connects via OAuth. So the most commonly adopted strategy is to have a service account be authenticated and then that record in Essentials is shared with the users you’d like to open access for them to deploy to that org. They CANNOT login with that token. It is just used to deploy change to/from the org.