Assume I have a package X in the default environment v1.0. Now I switch to a custom environment, e.g. activate whatever. By default, using X will work despite the fact that I never added X to whatever, because (AFAIU) the package manager will check all DEPOT_PATH paths, which includes v1.0, where X will be found.
Is there a way, except just modifying the DEPOT_PATH, to tell Julia to be more strict and only look for packages in the current environment?
The package manager is not involved in calls to using, and I think you mean LOAD_PATH instead of DEPOT_PATH. The load path decides what you can using, and what X means in using X, but when the given package has been determined, julia will look for the installation of that package in all DEPOT_PATHs.
You can modify the load path to include only your home project/active project as follows:
$ export JULIA_LOAD_PATH=@
$ julia -E 'Base.load_path()'
String[] # Can't load anything.
$ julia --project=. -E 'Base.load_path()'
["/home/fredrik/Project.toml"] # Can only load whats in this Project.toml file.