Hello,
Yes, this behavior is by default. Your RDS deployment is correct. Both RemoteApp and full remote desktop sessions leverage the underlying Remote Desktop Protocol and associated technologies to facilitate remote access.
There is no straightforward way If you are expecting to restrict users from accessing full desktop, for workarounds, you could refer to this thread.
Best regards,
Karlie