The access policies settings on Pages only apply to Preview deployments by default, e.g. setting one up for your deployment will only affect *.myapp.pages.dev. However, this is very easy to get confused about and thinking it applies to Production deployments as well. This happened to me, which exposed my Production deployment to the world.
I would suggest this be made clearer, or that a separate access policy setting be added for Production deployments, which would also make it clearer that you need two different access policies - one for Preview and one for Production, if you want to hide everything from the world.
