I am running:
Jenkins 1.500
CAS plugin 1.1.1 for authentication
Role Strategy Plugin 1.1.2. for authorization
Exclusion plugin 0.8
(these are the latest available at the time of writing)

The only security granted to anonymous users is "overall - read" and "job - read". However, if an anonymous user views Jenkins, the link to the management function "Exclusion Administration" remains visible in the top left hand conent of the Jenkins main page, and can be clicked.

 People
 Build History
 Project Relationship
 Check File Fingerprint
 Exclusion administration

The function should only be available to administrators. I suspect that the Exclusion plugin simply does not check for authorisation.