This is because the message is being sent Asynchronously, and the exception is not being captured.
If you were doing a transaction, the commit would throw the security exception for you, as the exception would be cached on the transaction until commit/prepare is called.
If you also configured the CF to send messages Synchronously, you would get the security exception.
This is actually something we may want to document.
Thanks clebert. +1 we should document this.