A subscription page to any mailing list can be accessed with /civicrm/mailing/subscribe?reset=1&gid=X regardless of the Mailing list or Visibility setting.
Groups that have Visibility = User and User Admin should not provide a subscription page.
Groups that are set to Access control should not provide a subscription page. (pretty sure on this one, but maybe there's a good reason otherwise)
Desired behaviour is that when a group is addressed that does not have appropriate permissions, then a message saying "Sorry, unable to find a subscription" or something to that effect is shown.
To recreate on the demo server:
(See the Administrator sign-up page)
1a.. Visit http://drupal.demo.civicrm.org/civicrm/mailing/subscribe?reset=1&gid=1
1b.. Observe that the Administrator group appears when it shouldn't
2a.. Visit http://drupal.demo.civicrm.org/civicrm/mailing/subscribe?reset=1
2b. Note that when the subscription pages are specified without gid=, then the correctly filtered subset of groups appears.