Android custom permission with signature not working

Question

My goal is to create 2 android apps, that can communicate securely via Intent (open activity in app A or B). Of course, I defined a custom permission that is protected by level of "signature". My problem is, that 2 apps can still communicate with same permission but different signature! Please, am I missing something?
In app A there is in manifest:

<permission
        android:name="xxx.yyy.permission.MY_CUSTOM"
        android:label="@string/some_label"
        android:description="@string/some_description"
        android:protectionLevel="signature" />
<!-- This is needed because B->A communication as well -->
<uses-permission android:name="xxx.yyy.permission.MY_CUSTOM" />

And in application B there is:

<activity-alias
            android:name=".MyClient"
            android:targetActivity=".MainActivity"
            android:permission="xxx.yyy.permission.MY_CUSTOM"
            android:exported="true">
            <intent-filter>
                <action android:name="xxx.yyy.action.MY_CUSTOM_ACTION" />
                <category android:name="android.intent.category.DEFAULT" />
            </intent-filter>
        </activity-alias>

Now, I want to open activity in app B from app A:

final Intent result = new Intent();
result.setAction("xxx.yyy.action.MY_CUSTOM_ACTION");
result.addCategory("android.intent.category.DEFAULT");
result.putExtra(KEY, value);
....
startActivityForResult(intent, REQ_CODE);

First of all, it worked normally but than I tried to build app B with different keystore (just freshly generated, nothing special) and apps A and B were still able to communicate with different signature :-O I also uninstall/install apps due to possible package cache or so... but problem wasn't solved.
I suspected a building from AS, so I build it "manually" but no difference. I compared hashes of APKs with apksigner tool, they were totally different (sha-256, sha-1, md5). Also, I tried to define same 'permission' in app B, and (in case of different signature) the app B failed to install - of course. So signature is working in that way.
My goal is that app A should get SecurityException if there is an app B that is listening on action 'xxx.yyy.action.MY_CUSTOM_ACTION' but not signed with same certificate.
Thank you for any hint or experience how to build such a communication pipe.