Pretty sure recovery user disables side_door access for all users except the recovery users.

And for the recovery user, if they login bypassing SSO, they will only have access to the SSO configs to fix or disable SSO. They won't be able to do anything else in SN.