Part of the access check to something really protected is the check that the user folder authenticating the user is "in context" of the accessed object. "in context" here means that the parent of the user folder is an ancestor of the accessed object.
In your case, the user folder of othersite is likely not "in context" of objects in newsite: as a consequence, a user authenticated in othersite should not be able to do protected things in newsite.