This is Not a Bug. Below are details
In C:\ca\clarity\trunk\npt\src\META-INF\npt\xbl\pages\addTabRightsFromParent.xbl line 48 mentions "If its a tab for an object instance type then reset the entry policy to be that of the parent frame" which means the tab security is parent driven.
Even in out of the box tab "Dashboard" Setting gear appear.
But the content displayed in this tab will be right driven, so user can configure tab with limited access to project only if a user has project navigation and view rights.
This is by design and confirmed with architect as well that this is not a security concern.