The system is operating correctly. Read about the OpenACS permissions system which controls access to content objects in the system. Look at the code in some of the supplied packages to see how this is used to restrict access.
The users should not have direct access to the database via PSQL or other non-OpenACS applications, they should be access data through the web app. Proper use of the permissions system has provided a very secure mechanism for controlling access to content for over a decade.
Also look at database query examples that use oracle-like bind variable notation to parameterize queries with data from HTTP requests and other sources. Use of this notation prevents SQL injection attacks right out of the box.