By default, there is security rules to define all tabs/objects available on the application to a user that have access in a specific stream. It´s a default behavior like vlad.komarov mentioned.
But, if you need to change this behavior, you really need to disable the default Qlik Security Rules.
So, be carefull on this process, because a simple change can crash all enviroment. Always use a test environment on this case.
Please, mark the CORRECT and HELPFUL comments.