The native security rules for data_connection resources works as you would want it to work.
It means someone changed security rules to give all users access to all data_connections.
You need to find in your security rules the one that opens that security.
You can find this security rule with the audit function, for example => audit for a specific data_connection for a specific_user which is not the owner of this data_connection, then on the right panel you will be able to check the associated security rules that allow this to happen.
Thomas Le Gall