When creating an own report, one can block the link from being visible by returning false in the showReport() -function (see com.atlassian.jira.plugin.report.impl.AbstractReport). What this does, however is not what one would expect. The report can still be accessed by a user that cannot see the link. This is possible by giving the correct URL:
http://[server]:[port]/jira/secure/ConfigureReport!default.jspa?selectedProjectId=[project_id]&reportKey=[report_plugin_id]

This is super easy to fix, just check showReport() in all steps for creating and showing the report (such as generateReportHtml() and constructHtml()). This is how I have dealt with this in my reports i want to hide. However, this should be dealt in AbstractReport instead.