User management for external users revealing sensitive information

Hey team – not sure if this is a bug or intended behavior.. new to retool!

Here's what's happening:
– we have a set of pages we are using as a dashboard for our customers (aka external people who should not have access to any resources, editing pages/queries, etc.
– we set up their account to have access to just the pages that we want

However what we're seeing now is that none of the pages work without giving them access to the resources. And if we give them access to the resources, they can access them by hitting Command+K and navigating to the sensitive resource page (exposes production endpoints/configurations for our DB)

are we doing this correctly / is this intended behavior? What's the best practice here for what we're trying to do?

thank you very much!