How to remove modules for users without permissions?

I’m trying out the role permissions system, and I created a role that has 0 permissions (for doctypes) checked, assigned it to a role group, and then gave it to a test user (who doesn’t have any user roles). However, when I log in as that user, I see that they still have access to a couple of modules and doctypes (see image below; there are a couple of other doctypes in the CRM, HR, and Quality modules). Is this a bug or intentional design? Is there a way to get around it? Thanks!