In addition to their own assigned rights, users can also inherit rights from the default user as well as from security roles.
Security restrictions in VSys only tell VSys not to perform certain operations. Information in your database is not necessarily encrypted or protected from other applications. If your data is stored in SQL Server, for example, users with access to SQL Server Enterprise Manager can access the tables directly, completely bypassing VSys Security.
When you're logged into VSys with security, at the top of the screen you'll see a note saying "You are logged in as xxx". If you're a superuser, you'll see a secret agent icon up there as well: For other users, if there is a portrait picture in their personal profile, that image will appear instead.
If you're logged in as a superuser, you probably should not walk away from your machine while another user may get physical access to your machine. He cannot elevate his own access rights by using your machine to access the Security manager, because VSys will require you to re-authenticate before launching any of the security-related tools. But he would still have access to many functions and his actions would be logged under your name.