Yep, I found that ultimately the issue was with the selected '404' page, not so much with the default setting. Either applied directly to the user role, or 'globally' for all of those roles without access.
Just a heads up -- doing maintenance on one of my main clients sites, and updated to the latest version of Access. Found that this version has a regression (sort of), in that it still seems to be affected by the same bug whereby any non-admin users can access 'admin only' items in a post group. It's as if the fix in the Helper.php file you linked was not rolled in. Any idea why? Is it safe to apply to Access 2.6.1?
I'm not sure why they would have released an update that didn't include the fix, but it seems like that's what happened, so I've asked if they can confirm the same patch can be used.
It didn't get included in this recent update because the update was unplanned and was pushed because of an issue that arose with the last Types update.
There should be a planned Access update—from the internal tickets and time that will be required for QA testing I expect that would likely be the week after next.
I'm just doing some house-keeping and it seems I didn't update you to point out that Access 2.7 was released, which it has been, so you should be able to update without any issues, no need to re-apply the patch.
