In my case when I tried to reopen a work item after it has been routed to another user. I'm able to open and perform the tasks assigned to that user. this can be done by clicking a BEGIN button, how to make this not possible. please find the attached screenshot for reference.
How are the access roles and privileges configured for that user's access group? You can compare with the out of the box PegaRULES:User1 role as that one should only allow the user to access his/her own assignments and unprotected workbaskets.