CUG is implemented via groups, that means using the permissions built into the repository itself. As a user you only see the pages which are visible to you, but not the ones which you are denied to see.
That means that the repository will give you the same response (from an API point of view) if
* you want to access a non-existing node
* you want to access a node, which you are not allowed to see.
This is for security reasons.
If you want to give the user a hint, that the permissions are insufficient, you should implement a custom 404 handler, which internally checks which of the both cases are the true reason behind the 404.
Jörg