Being able to subscribe to # doesn't mean you'll get all
messages. You need to actually experiment with this.
If you use acls to only allow your clients access to
"somewhere/something/elsewhere" they can still _subscribe_ to "#"
, but they'll only get what they're allowed.
If it helps, think of "#" not as "everything" but "everything
you're allowed access to"