I forget the Thrive Apprentice terminology, so I'm using generic LMS language here.
Did you set the Membership level and ccap on each piece of content?
Main course, each lesson page, etc.?
That's actually how LearnDash acts with whatever membership plugin they integrate and how Sensei works with Woo plugins.
It's really tedious to set it all up. Point is you can't just protect the course unless (maybe) you're using an all-in one like LifterLMS (and just guessing here--might be impossible too).
s2 doesn't support multiple levels per user and each level is supposed to get more access than each previous level.
I'm also guessing that, since s2 won't enroll your users into your Apprentice courses, they'll probably have to click on some button to enroll for the progress to be tracked or else they'll be viewing the free content (or for registered users) because it has to be set that way for the integration with a membership plugin to work.
1. Protect each piece of content.
2. Prefer a "reguire registration" option rather than "free" for the course, if available. That way they can't see content unless they register which, if they are logged in should be a button press if Thrive Apprentice allows that.
And, as I recall, Thrive Apprentice is integrated with a SAAS payment system. In the long run, it might be easier to just use that (but I haven't used it so can't comment---also haven't used Thrive Apprentice in production).