All authenticated users can view all private content from all other authenticated users, including the admin's private pages

This occurs irrespective of any permissions settings, which seem to be completely ignored.

I have tested this systematically using a few authenticated users,
all can read all other private nodes, including those from admin !

Anonymous is correctly blocked.

BTW I have no other access modules installed.

Please if this is not a bug explain how to change this behavior,
or point to documentation that explains that it should behave thus,
otherwise it is a clear security flaw.

Glad for advice.