The NTFS access control lists are enforced by Windows. If a user can access the partition from outside Windows (for example by using a different operating system) then there are no guarantees of enforcement.
If you have files which must be protected, then use NTFS’s encryption features.
Unless you encrypt the files then the disk will be always fully readable. And yes it’s completely normal.
Think of it this way. The superuser (administrator) always has full access to anything (and if he doesn’t, he can gain the access). On your MacOS, you are the superuser, therefore if you don’t forbid yourself access to the files you will be able to access them. Now if you would want to limit access for other users, you can of course do that (but that’s something that has to be configured in MacOS not the Windows partition).
Filesystems are really only (potentially) secure when they’re accessed over a network, so that there’s no option for raw disk access.
There are a number of ways filesystem security can be bypassed, as you witnessed yourself with the dual-booting. With MacOS or Linux accessing a NTFS disk, this actually happens because the security specs of NTFS weren’t implemented when the driver was written, rather than because of any attempt to bypass it.
Even with filesystem encryption in place, a suitably motivated hacker with physical access to a machine can break security, either by infecting the OS to log passwords, or by bugging a keyboard. Even biometric security isn’t a full guarantee – for example, capture raw signals from a fingerprint reader, then play it back later.
Data can never be kept 100% secure if it is to be accessible at some point.