Currently AdvancedPermissionChecker grants VIEW permissions to all objects which belong to the currently logged in user. This would be OK if it wasn't the case that portal's initial preloaded data (i.e.: initial data populating the DB when portal is run for the first time) is assigned to the default user which, in turn, is also used to identify guest users.
This has the undesired side effect that all initial data can be seen by the guest user as if he had created it. For an example scenario where this is not desired see LPS-44478.
Note that, although this bug is being filed under component "Frameworks > Permissions" the fix would probably need to be done in the other components, when they create the initial data. But before doing that, the platform team should probably decide if we are going to fix it with a new built-in user (other than default) or with some other technique.