Let me first explain how Jasonette works, and then answer your question:
Think of it as HTML. All websites you can view in the browser you can view the html. That's how it works.
As a base, Jasonette works the same way, you write JSON and load it from Jasonette. If this JSON was not available publicly, there would be no way for any client to process it (not just Jasonette but even you won't be able to load it from a browser).
But many websites have user accounts and user content. Think of Facebook, Twitter, etc. These are not static websites. When you go to the site, you sign in as a user, and their DB backend stores your credentials and content, and finally display the relevant content by generating them dynamically.
Basically, to protect content behind authentication on the web, websites need to have their own backend to store things to database.
Jasonette works the same way. To protect your JSON behind authentication, you first need to have authentication. And when I say this I mean you need to set up a server, write a web app (using php, rails, node, or whatever) that supports user accounts and all that logic. If you're trying to build say a social networking app, you won't be able to achieve it with just static JSON anyway, you need to have some sort of your own DB-backed backend. So if this is the type of app you're trying to build, you should write your backend, implement user accounts, and use
$session action on Jasonette to protect the JSON coming from your backend.
Another way people use Jasonbase is host only the skeleton markup and make
$network.request to their OWN server which contains the actual content. So if you already have an API, you can easily start an app just by writing some json on jasonbase, while keeping your content on your own server.
Hope this makes sense.