From your description this seems to work exactly the same as when opening a page from a microflow. You could make a project without any access expoicitly given to any page, as long as you open every page from a microflow.
In a way this makes sense, as a page can never contain anything that you would want to really block any user from anyway. If your security relies on a user not having access to a page, it's broken anyway.
edit: Just checked; the setting specifially says "visible for", not "accesible by" or anything like that.