When attempting to limit access to specific pages, the current work around is to create a new property for the Page Model then use this to filter. Then use the Validation Hook on the model to enforce that pages with specific URLs must have this property set to true so that users are not able to remove the access control when editing the page.
Vulnerability using this method: Users who shouldn’t have access to a page with a protected URL can create and publish new page with a protected URL or alter an existing Page to give it a protected URL.