Usually a Management API request needs an Access Token that has read:users or update:users scope. It’s not possible for a user to obtain one so they should not be able to call the endpoints themselves.
However, if this is about the Management API Access Tokens that you obtain during a login for a SPA [1] with *:current_user_* scopes, they do not affect the global rate limit. These requests will have a 10 req/min/ip limit as described in our docs [2]. I didn’t consider this scenario in my previous reply, so if your question was actually about these requests, they do not affect the global limits.
[1] Get Management API Access Tokens for Single-Page Applications
[2] Management API Endpoint Rate Limits