I too had this issue and CA created CLRT-76817 that security is not recognized on tabs.. Even if you secure the tab (say only Group A can access this tab), it does not work. So, the code is broken. CA told me that, but no plans on fixing it, which is not good.
Maybe I should log an IDEA for clients to be able to vote on which defects to fix? CA lists all open defects and we the customers vote on them. The higher the vote, the quicker CA would plan to fix it