This seems to be a misunderstanding of how FileMaker security works.
If you define each privilege set's layout access properly, users can only access the layouts they are supposed to be able to access, no matter how they manipulate the URL.
No, the privilege sets are no option.
We handle the access privileges to the different layouts in a table in the database.
The users will see only the navigation buttons that are allowed to access.
All web users have the same "FileMaker privilege set" and in this case the same access rights to the layouts.
If we would give the access with the FileMaker privilege sets we have to define very much privilege sets.
If we only have 5 Layouts for the Webusers, we have to build 30 privilege set's.
(only Layout 1, only Layout 2, … then Layout 1 & 2, Layout 1 & 3, … and so on)
And with 10 Layout there are 1022 possibilities. This is no option.
The privilege sets is ok to protect the layouts you use for development but
not to restrict access to the user layouts like "budget", "contact", "billing", …
If I connect with a FileMaker Client I can only access the layouts that I can reach by a script.
Why it is different in WebDirect?
I thought WebDirect should align the functionality to the FileMaker Client.
I wouldn't really call this a security issue in the strict sense, but you can always use a OnLayoutEnter script trigger to prevent users from accessing layouts by other means than your navigation scripts. Not as elegant as one would like, of course.