I go to the security panel in the adminui in the endpoint management for my process.
I add my user with the Invoke permission to that user but the other can always see and start it in the workspace.
Perhaps someone has added the 'Services User' role to all users which gives them the ability to invoke any service. Check on that in Admin UI > Settings > User Management > Role Management and then look into the Services User role to see who the Role Users are.
I'm trying to limit process invocation as well - the option you describe worked for me in ES1 but it is not availbe in Endpoint Management in ES2. I'm running into the issue that all users with the LiveCycle Workspace User role can invoke any process from Workspace, regardless of whether the Services User role has been assigned to them. I need to limit the users who can invoke the process, but I don't want to exclude any users from just entering Workspace and looking at the tasks that have been assigned to them.