OH security is all-or-nothing right now.
However, if you have concerns about non-users being able to access Items you can turn that off requiring an authentication code or login to access any Item. But if one can access any Item, one can access all Items.
The description under the visibility fields make it clear that visibility is not a security feature.
So this behavior should not be a surprise.
Yes and no. Yes this is intended and no there is no way to expose only certain Items.
Pages and pages of discussions and arguments and more have occurred on the topic. Please note that any sort of authentication at all is new in OH 3. It’s a huge amount of work to go to the next stage of implementing ACLs and more than two user roles and implementing fine grained access control.
First, the Andorid app only allows access to other apps running on the same phone. So rule 1 should be "don’t install untrustworthy apps on your phone.
Second, you can turn off Tasker integration. With that turned off no apps on your phone can get to Items through the Android app beyond the app itself.
Beyond that, your keeping physical security of your phone should be sufficient (have a password for login, don’t let it remain unlocked for long, etc).
Third, if you are concerned about other people on your LAN installing the app:
- Disable guest mode in openHAB settings so users must be logged in to openHAB to access anything
- Don’t give those people login credentials.
You can further limit access to certain IP addresses when using a firewall.
Fourth, if you can’t trust them with your OH, why do you trust them on your LAN in the first place? If they are not on your LAN, they’d have to get to OH through myopenhab.org (which requires credentials) and, if guest mode is turned off they also need credentials to log into OH itself. That’s two separate sets of credentials (no, this doesn’t count as two factor).