As far as I understand, a rule that looks like
that's given a role of ROLE_AUTHENTICATED, means that when you're logged out, you should see nothing from this workspace.
As of 2.9 and 2.10, this is no longer happening.
With a default GeoServer, change the spearfish layer group to be in the sf workspace.
Add a new Data Security rule of sf.*.r and give it a role of ROLE_AUTHENTICATED.
Go to Layer Preview.
You will see no other layers from the sf workspace, but you will still see sf:spearfish.
Windows / Ubuntu