Currently one can execute cross-database query on the same server without additional authentication. This was OK when having only server-wide authentication. With SecurityDatabase parameter, added to aliases.conf, one can login to some database as USER1, but it does not mean that he is granted to access as USER1 another database, for which another SecurityDatabase is psecified. Same issue with access to database using services.
Solution of this problem is supposed to go together with mapping server/OS security objects to database users. For services we need additional SPB parameter, specifying with what database are we going to work.