I believe that from security perspective, it is best to handle access to restricted URL in 2 places:
Satya van He-men
I think your reason for concern is valid it's possible because
triggersEnter called just once I recommend reading the official tutorial on the Auth Logic Permission which is on the Template level and it's reactive.
Previously, we did this in the router layer (specifically with Iron Router). However, that's not a good design and we don't recommend it.