I am opening a question but also giving the answer for the problem.
I just came up with a critical error in the customer I work for - IMHO due to a SAP bad design in the Fiori Launchpad Designer (Fiori on NetWeaver, not on Cloud).
There are many "2.0" apps in HCM. e.g. "My Leave Requests" has a newer version which is a different app called "My Leave Requests 2.0"
Customer is gradually activating those 2.0 apps and for that they did are not delivering those to the end users yet. In order to not give authorization to these new apps to the final users, the customer separated the "1.0" apps from the "2.0" apps in different catalogs. However, final users could still see and open "2.0 apps" even **without having rights to the calalog(s) containing this apps**. It's important to say that all apps are in the same Fiori Group. It should not be a problem as the catalogs are different ones.
Why that happens?
Because of 2 technical decisions from SAP:
1) The new apps uses the same target mapping from their older version. So if app "My Leave Requests" uses target mapping LeaveRequest-manage, its newer version "My Leave Requests 2.0" uses the same target mapping LeaveRequest-manage
2) What **really** defines what the users has access to is NOT the access to the catalogs but the target mappings available inside the catalogs he/she has access to. So If the user has access to catalogs C1 and inside it you can find target mappings "Foo-display" and "Bar-manage" you might have a problem like I had. If you have a different catalogs say C2 that coincidentially have a target mapping "Foo-display" (linked with a different tile and app) the user will see that other app even without having access to catalogs C2
We changed the target mappings for all 2.0 apps so they become different to the 1.0 apps. This might break some navigation between the apps but it's a temporary fix until we officially launch the 2.0 apps to final users