Hello Nouhila,
I looked into this thread and I understand that you have hidden the "Dynamics 365 - Custom" app by clicking on (...) > Hide for all roles -
and the expectation here is that it should not - a.) show in listed apps of users and b.) even if an user tries to access it, it shows throw an error.
After researching on this behavior and also, tried to repro the issue at my end and I see the same behavior as you do - when admin hides the "Dynamics 365 - Custom" app by clicking on option "Hide for all roles", it's actually only hiding from UI / display, not making any change in user security role so admins / users still have access to the default app and if it's accessed using direct URL - it would allow user to see the Default UCI app and you can find same info in this article -
"The legacy web client app, also known as Dynamics 365 - custom, is hidden from end users when a new environment is provisioned. It is always visible to those with System Administrator and System Customizer roles, and to other custom roles with similar privileges. The legacy web client app should only be used temporarily for backwards compatibility with custom and third-party legacy functionality that you have not migrated to Unified Interface. It is not designed for Unified Interface and can cause unexpected errors and experience. For the best user experience, port all custom and third-party functionality to model-driven apps for Unified Interface."
I understand that this is not what you were expecting as an answer but I would suggest to submit an idea - https://experience.dynamics.com/ideas/ and product team may review it to check if it's something can be done or not.
