Description of problem:
Any authenticated user can see tasks which doesn't own vua remote REST API

For instance, in my test case, user task is created with group "admin".

If user authenticated for remote REST API as user "jbpmuser" who has "admin" role,
i.e.
restSessionFactory = new RemoteRestRuntimeEngineFactory(
"com.samplerj01:1.0", new URL(
"http://localhost:8080/business-central/"),
"bpmsuser", "bpmuser");

all of the following method returns expected task list.

getTasksOwned("bpmsuser","en-UK")
getTasksAssignedAsPotentialOwner("bpmsuser", "en-UK");
getTasksAssignedAsPotentialOwnerByStatus("bpmsuser",status, "en-UK")

But, user authenticated for remote REST API as user "guest" who doesn't have "admin" role,
i.e.
restSessionFactory = new RemoteRestRuntimeEngineFactory(
"com.samplerj01:1.0", new URL(
"http://localhost:8080/business-central/"),
"guest", "quest");

Authentication succeeded and both of getTasksAssignedAsPotentialOwner() and getTasksAssignedAsPotentialOwnerByStatus() returns no task (as expected)
but getTasksOwned() for another user returns list of tasks.

Version-Release number of selected component (if applicable):
BPM Suite 6.1.0

How reproducible:
Deploy a Process including user task and then search tasks using Rest API

Steps to Reproduce:
1. create 2 users, one is user(e.g. bpmsuser) who has admin role and the other one(e.g. guest) does not have admin role
2. on Business-Central, create business process including user task which is assigned to group(e.g. admin) and deploy it
3. login Business Central as admin user(bpmsuser) and then start some instances and claim and complete some of user tasks.
4. run REST API which authenticate as non-admin user to get list of tasks

Actual results:
getTasksOwned() returns list of tasks even if user doesn't own the tasks and is not member of group which is assigned to user task.

Expected results:
no the other user's tasks get returned if user doesn't have appropriate role

Additional info:
This may duplicate of bug 1227897.