Security rules do not follow inheritance, so you should set the access rules on both entities if you want to constrain access to both entities.
If you show objects in a grid that shows a generalization entity, those objects will still have the security rules for their specific type applied. This is what's happening in your example 2.
In your example 1 I'm not sure I understand exactly what you're doing. I read it as: you have an entity 'object2' and an entity 'object1', which has 'object2' as a generalization. You put a constraint on object1, and now you are still able to see all objects of type object1? If you are really sure that the objects you are viewing are really of type object1, and not object2, then that sounds like a bug. I just tested this case and it works fine in Mendix 5.4.0, so if you can reproduce this please file a ticket including test project.