We configured SimpleAuthenticationPlugin as follows

we defined 2 users:

<authenticationUser username="user1" password=“user1" groups="users1"/>
<authenticationUser username="user2" password=“user2" groups="users2"/>

that are allowed to publish/subscribe on 2 different topics

<authorizationEntry topic="USER1.>" read="users1" write="users1" admin="users1" />
<authorizationEntry topic="USER2.>" read="users2" write="users2" admin="users2" />

We connected the client 1 with the credential users1 and subscribe #
The broker allowed the client 1 to subscribe # although not authorized.

Then we connected the client 2 with the credential users2 and we publish a message to topic

USER2/TOPIC1/TOPIC2

The client 1 received the message published by client 2 on USER2/TOPIC1/TOPIC2.

If we tried to subscribe USER2/# with the client 1 the broker blocked correctly the subscription.

We repeated the test with activemq-5-11.1 and the result is different.
ActiveMQ allow the client to subscribe the # topic like A-MQ but the client 1 doesn’t receive the message sent by client 2.