I was just experimenting with app level access controls and noticed that when the entities within the app are linked to types outside of the app (in particular to user entities), they show up for users without permission for the app.
When I click on the linked entity, it says “You have read-only access to that [ENTITY]”. But I had set the access level as “No Access”.
Does this mean “locked-down” apps need to be self-contained and not reference any other entities? I wasn’t sure if this was bug or by design. Could you elaborate on this?