The CICS region acid doesn't have NODSNCHK or NOVOLCHK bypass attributes. It is authorized to access the needed datasets to have the CICS region to start.

From the official IBM documentation here.

"Authorizing access to user data sets Version 5.2.0 

When you have defined the RACF user ids for your CICS regions and given them access to the CICS system data sets, permit the user IDs to access the CICS application data sets with the necessary authority."

It means the CICS region acid does not only need the permissions to access the system datasets but also need access to the application datasets. In other words: An access to an application dataset, which is not permitted to the region acid, should be denied. 

A security trace shows that a security call is issued, but it is made with LOG=NONE. This is why the violation is not logged.

Why isn't there a violation against the CICS region acid when accessing an application dataset?

For PGMNAME(DFHSIP) in the PPT of z/OS, SYS1.PARMLIB(SCHEDxx), remove the option "NOPASS". "PASS" is the default.

When NOPASS is removed and PASS is in effect, then the security call against those dataset are made without LOG=NONE and the violation will be logged.

You can review the SCHEDxx parameters from the IBM link for z/OS 2.1 here.