When hiding a location in admin interface, visibility is not reflected on the frontend in the built-in ViewController. Hence, accessing directly to the location either with its system URI or URLAlias will still display the hidden content.
It should throw a NotFoundException.
API wise, Visibility flag is not permission based and is not meant to restrict access. It's more a filter.
To restrict access to a content, you must use sections and/or object states.