You need to make sure you set the access requirements for the services to "Authenticated" or "Encrypted" (or a mix) for it to prevent access upon incorrect bonding/encryption, but yes. It should behave the way you are describing if setup properly :)
The behavior of the device on authentication failure will vary from device to device and also depends on your project.
You could call the CyBle_GapDisconnect() API under the CYBLE_EVT_GAP_AUTH_FAILED event. Also, add a CyBle_GapAuthReq() upon connection, i.e. under CYBLE_EVT_GAP_DEVICE_CONNECTED event. This will make sure that every central that connects to your phone has to pair successfully. If pairing is rejected/fails, then the device would disconnect immediately.
Secondly, "Permissions" such as Encryption required, Authentication required are set for characteristic properties such as read, write, notify and so on. This means that a client can read or write only if the link is encrypted and/or if the connection is authenticated. However, setting these permissions won't stop a client from 'discovering the services' on a server.
So, if the passkey is wrong, the client can still see the services but this depends on the configuration of the server.