That doesn't sound like the usual behaviour. Unless you give permission at app_object* level to all users, unpublished objects should never be exposed to all users.
What security rules are you applying to grant access to the stream and apps to the users? May be its worth reviewing those, as the standard out of the box rules shows the "My sheets" objects to the object owners only.
Kabir Please do not forget to the mark the post if you find it useful or provides you the solutions 🙂