I put in a tech support ticket, was on the phone with an esri tech support person this AM and the response was... "this is expected behavior in the latest version of Android". Ticket closed.
The only way to make sure users are challenged each time they open a map in Collector is for them to sign out of their named user account every time they are done working with a map. If they don't sign out, which in the case of Collector for Android it's: three dots -> switch account -> three dots -> remove.
Then, when the user gets back into Collector and they click their web map, they will be challenged with their org AD credentials.
I know my field staff will love this as it will cut down on the steps required for them to start editing in Collector, but from my end, I find it hard to understand how an Android update has change a key piece of how Collector works... namely that in the past, Collector has forced users to authenticate with their org creds every single time they fired up a web map in Collector, while never signing out of their named user account. Now that has changed, now, as long as a user remains logged into the AGOL org account, they will never be challenged with their employer org AD creds to see their secured feature layers (after they did it the first and only time).
Interesting.