That should work if the library can only be accessed through the metadata server.
Now consider if the library is a folder containing the SAS datasets and the user know the path and has access to it.
The user can directly access it using a libname statement. To prevent this access, access control restrictions need to be setup.
So also is the case of external databases. if the user has the details, they can directly access them. Therefore access restrictions needed to be create and enforced at the database level too.
Thus metadata level security needs to be suplemented by access control restriction at the OS / Database level too.