Recently I came across a rather confusing situation with my Force.com application. I had whittled down my profiles; implemented a marvelous role hierarchy; and a number of sharing rules, and although my application was functionally restricted i.e. object-level access, field-level access etc., the data didn’t seem to be restricted by the sharing model i.e. I could see data created by user A when logged in as user B, even though I had explicitly disabled this behaviour.
The application I’m developing may not be the same or even similar to yours, especially since I don’t use any standard pages. I suspect that if I had use more of the standard functionality I may have guessed at the solution a bit earlier.