No, I mean incoming. Have a look at this docs page: Firewall — Firewalling Fundamentals | pfSense Documentation
And that is exactly the behavior that is expected with the rules you now have on your LAB interface.
Say you have (IPv4) traffic originating in the LAB network destined for a host in the CONTROL network. That traffic enters the firewall on its LAB interface, therefore it is matched against the rules on the LAB tab. The first (and in this case, only) rule that matches is the “Default allow LAN to any rule”, which allows the traffic. Therefore, you can reach the host in the CONTROL network from a machine in the LAB network.
That’s not how pfSense works. You don’t filter by outgoing interface. You have to be very careful when using the “any” destination in your rules because, by definition, it includes local networks. And that is not what people want in most cases.
Have a look at this: