Please see the bottom of
http://support.sas.com/onlinedoc/913/getDoc/en/biov.hlp/a003069529.htm
Advanced applications like EG and Enterprise Miner allow general purpose SAS coding. As the referenced manual implies, metadata permissions are enforced by the clients, not the server (different than a relational database system.) There are many reasons why this has evolved differently, mainly because traditional SAS usage was very free form WRT where people worked and stored data. That said, applications are the enforcer of metadata permissions, NOT the SAS server.
The best way to secure your data is to use OS level permissions or give them a client like the Add-In to Microsoft Office (part of BI Server.) EG does respect MLE libname engine permissions, but someone in EG could bypass MLE with their own libname if they know where the data is on the server, unless you applied OS level dataset/directory permissions. I wish I had a better answer for you, but in SAS 9.1 there is a different paradigm than relational databases...