It’s not zero security. Just because you can immediately sign up to facebook, does not mean you get full access to facebook and read everyone’s private messages.
What a user can and cannot access in the app is entirely up to the application API that is verifying the access token. So the developers of your own API are responsible for this.
What you are probably looking for is scopes / permissions, and auth0 fully supports it. Which means that auth0 adds the appropriate permissions to the access token according to RBAC, and the API accepts or rejects a request depending on the existence of the relevant permissions in the token.
So in short, if you have a resource to protect, you put it under a scope / permission, and the user can only acces the resource after you assign them the relevant permission (using the auth0 dashboard or management API).