I think that it is not a “security issue”, it is just the way it works.
As I guess, Adalo was created primarily to build mobile apps. In mobile apps (compiled and installed from Appstore / Google play), the user “flow” could be managed pretty firmly, and I think it’s not possible to get to hidden/protected screen without explicit action with permission.
PWAs / Web Apps is a different story; you can easily copy the URL and send it to someone. “User rights check” on each screen is not implemented in Adalo at the moment (see above - no need for that in mobile). So that’s why developer needs to protect sensitive screens manually. Fortunately, there are on-screen-enter actions and visibility settings, so these could be used for protection.
What you need to do is to check upon entering the screen is (a) that user email is not empty and (b) that user is admin. “Hiding” content is an additional measure, protecting against a bug which happens sometimes with Back button.
As for guessing URL - I don’t think its possible, just look at its length