Hi Lisa,
From a security perspective, pages access is actually not restricted client side. So if you know the module and page name, any page is accessible by any user. You can test this out by executing the following JavaScript from your browser console. Just replace YourModule and YourPage by anything that is present in your application, and you should be able to open any page, regardless from your current user role.
mx.ui.openForm("YourModule/YourPage.page.xml", {
location: "content",
callback: function(form) {
console.log(form.id);
}
});
I'm not sure where the discrepancy between applications comes from, but the behavior you describe seems as expected.
Either way, you should ensure that the domain model is set up properly so that access rights are enforced there. Restricting page access is not sufficient from a security perspective.