This isn't a bug, there's just no logged-out/public view for the home page right now. See T3979.
If you don't want users to access applications without logging in, disable policy.allow-public. The documentation for the setting is (hopefully) clear about what this setting does:
Phabricator allows you to set the visibility of objects (like repositories and tasks) to 'Public', which means anyone on the internet can see them, without needing to log in or have an account.
This is intended for open source projects. Many installs will never want to make anything public, so this policy is disabled by default. You can enable it here, which will let you set the policy for objects to 'Public'.
Enabling this setting will immediately open up some features, like the user directory. Anyone on the internet will be able to access these features.
Does that make sense, or am I misunderstanding? I'll merge this into T3979 if it's just a confusion issue over the lack of a logged-out view for the homepage.