Let's assume that a job B is security enabled with user X only authorized to browse and/or run it.
When running job B alone, a user Y cannot run or browse it. That's OK.
Now, let's assume that Job B is triggered after Job A, and X is allowed to run and/or browse Job A. If user X run job A, then Job B is still launched while X is not authorized to tun Job B, and user X can also browse Job B from Job A downstream link.

Assuming this is a normal behavior (I mean, not a bug), an option should be available to ask for ACL to be fulfilled in a upstream / downstream relation, in order to enforce confidentiality in a worldwide / multi stakeholders project.