User is able to access a second app that their connection is not enabled in

I’m having several weird issues and i think i might not be understanding this correctly. I have two applications: appA and appB, and two corresponding database connections: dbA and dbB. dbA is only enabled for appA, and dbB is only enabled for appB. dbA has all of my users in it, but dbB has only a handful i want to access appB, but their emails are registered in both database connections. The login page for both work as expected, i cannot get in to the app with a user that is not in the corresponding database.

The first issue is if I sign in to appA, then go to sign in to appB, it recognizes that I am signed in and lets me in automatically even if I am not part of dbB. The appB login page will not let me sign in with that email, but i can just avoid that by signing in to appA first, which basically means everyone in dbA also has access to appB even though that connection is disabled.
I saw that SSO can be enabled if you want this to happen, but i do not, and have no SSO integrations enabled. I’m not sure how to disable that “feature”.

Second issue, I have a user who is in both database connections. After using the reset password links generated from both apps I am only able to sign in to appA, appB is giving me a wrong password error. So i have a suspicion that its just finding the first user and updating it regardless of which app was being used. I used the same password both times, I am able to sign in to appA with it but not appB.

so my question is how do i keep these connections/apps separate? it seems like auth0 is mixing them together and weird things are happening as a result. I saw that having a second tennant was an option but these are almost identical apps, using the same domain name, just different subdomains. I like that the users who should have access to both only have to sign in once, but its opening up both sites to all users which I cant have.