This scenario sounds highly unlikely: it would be a huge security incident and would also be very noticeable: most applications I know of have a role for e.g. an administrator which has read access to entities unconstrained by XPath. One would expect that, if the behavior you described is a platform bug, many more application would be impacted.
The alternative scenario, where someone on your team made a modeling error would seem more likely. If you're convinced that is not the case, you should submit a bug report for this and let Mendix investigate if there is an issue in the platform.
Finally, giving anonymous users unconstrained read rights is a security risk you are introducing in your application: if someone knows the URL of your application, they can easily extract all the data. You can check this yourself, e.g. by using https://securitycheck.webflight.nl/