In order to secure an entity list, you must configure Entity Permissions for the Entity for which records are being displayed, and also set the "Enable Entity Permissions" boolean value on the Entity List record in the CRM to true.

The act of securing an Entity List will ensure that for any user that accesses the page, only records that they have been given permission to are shown. This is achieved by an additional filter being added to the CRM views that are being surfaced via the list.  This filter will filter for only records that are accessible to the user, via Read permission.

Further to this, any actions that are defined for the List will respect the corresponding permissions for that action, on a per-record basis.  i.e., if you have Edit for a record, the Edit action will be enabled for that record.  Same applies for Delete, Create, etc.

Note that if no records are available, then a message indicating this will be shown when the list is loaded.  

However, good website design determines that if a user is not in a role that has any permissions for the entity (i.e. there will never be a situation where they should see any records), they should also not have access to the page at all, and thus the page should ideally be protected with Webpage Access Permissions