At the outset, it is important to understand that the My Work section is purely an alias for "Unpublished apps which the user has read rights on". With that, there is a rule which is granting access. The easiest method to drill down to what rule is providing access is by using the Audit functionality in the QMC:
- QMC > Audit
- Target Resource: Apps
- Select an app which the user is unexpectedly seeing
- Select the user who is unexpectedly seeing the app
- Environment: Only in Hub
From there you can inspect the rules which are providing access.
It's going to be a custom rule which has a filter on App* or App_* but the audit functionality is the easiest way to drill down without needing a ton of reps in sight reading security rules.
Hope that helps.