In current setup gitlab-branch-source uses one common user (GitLab API token) and one shared GitLab Webhook token per GitLab instance. This opens up each installation to security threats, especially with multi-tenant setups. Potentially unrelated users are able to schedule all jobs via REST API (Webhook token is known since it's stored in plain text in Gitlab), not only those related to their project. Additionally when GitLab service user credentials are compromised it affects all projects in the instance using gitlab-branch-source plugin.
To increase security service user (GitLab API token) and Webhook token should be provided per Jenkins Organization Folder (per Jenkins job for a group), not globally in the Jenkins settings.