How are you restricting users from receiving a defect only license?
The ALM license is broken up into three parts test, requirement, and defect. A full license would have all three parts. A defect only license would only have the defect portion.
By default ALM will issue a license with all three parts, a full license, until all are given out then if there are test-only, defect-only, or requirement-only licenses those licenses will be given out. You can create groups and remove access to other modules to force users to pull a particular part or parts of the license. If you create a group that only has access to the defect module that would only restrict the users in that group to only pulling a defect-only license it would not restrict users outside of that group receiving a defect-only license if all the full licenses were used up. The only way that I can think of that you would be able to stop a user from getting a Defect-only license would be in the following example.
Project Customization -> Module Access if you remove (un-check) the defect module then the user should only pull a test and requirement portion of the license and not a defect license. This should stop them from also getting a defect-only license.
Now, if the user was able to access a project that he or she is has not been added to then they are probably a Site Administrator in ALM which would give them access to all projects. In that case they would probably receive any available license.
So if you could let me know how you are restricting the users from getting a defect/defect-only license I might be able to pin point what happened. Also if the issue is that the user should not have access to the project in the first place then check to see if they are a Site Administrator in Site Admin.