The thing is that when we you have read-only access to /content, /we-retail, /sample and product nodes, it works according to the given permissions.
However, whenever you(as an admin or something) add a new page beneath /content/we-retail/sample, as the parent(/sample) has read-only access, the user "sample" gets the read-only access to the newly created page by default.
If you go to /useradmin on your instance, after you created a new page under /sample, you can see that the user has read-only access to that page. You can remove the access from the read-only page. It works.
Permissions to user on Newly Created Page:
Remove the read-only access for sample user from the newly created page:
Newly created page no longer visible to sample user (or test user in my case):