Sorry, I hadn't seen this question until just now.
So Programmes and Projects are always public and browseable. This is fixed, and because the intention is to promote and disseminate details about your project.
Data files, and other "assets" however, have sharing permissions and can be made private. You can set the default sharing permissions for your project, and items uploaded will adopt those permissions by default when associated with the project.
If you want to block access to the projects and programmes for anonymous users you would need to change the code. A simple way could be to add a before_action near the top of the projects_controller.rb, and programmes_controller.rb, which would look like:
I've not tested the above, and may have some side effects I've not concidered, but would be a good starting point.
hopefully this helps,