I confirm it, and this is pretty poor. Surely the very first discussion of how to do paid content in an apt based system would have included how to ensure you don't accidentally make that content available to anyone. I suppose I assumed they'd do this the same way you get hold of the nokia-binaries in scratchbox, you sign up, and get an apt source with a unique key on it which identifies you. then just make anything you've paid for available in your account-linked 'virtual' repository.
They're maemo and MeeGo... "Meamo!" sounds like what Zorro would say to catherine zeta jones... after she slaps him for looking at her dirtily...