The DACFx option to "DROP objects in target but not in project" needs a way to optionally ignore any logins/users created for a target DB outside the DACPAC.
Understandably, DACPACs cannot define passwords for logins as the package source would compromise the passwords. In practice, this means I typically define application role(s) in my DACPAC, and grant the necessary permissions for my app to the roles. I then let the DBA assign whatever logins/users to these roles out of band.
Often, it is desirable to use the "DROP objects in target but not in project" option (e.g., Microsoft.SqlServer.Dac.DacDeployOptions.DropObjectsNotInSource) to ensure that any renamed objects deploy successfully.
However, this option will wipe out the logins/users created out of band by the DBA. This is an easy way to then break the overall application, as the DBA must then recreate the logins, users, role memberships, and any permissions for the login/user.