While I do not know QGIS, I'm wondering if it's similar to some of our applications where they always use the same system login for the database while each user provides a unique login to the application. Have you ever set log_connections in your postgresql.conf file? That would show you which user is connecting during your attempts, and they might very well be something you're not expecting. As far as I know, there is no way for any application to bypass PostgreSQL's internal security model.
Check which user is used the first time you connect to the database through QGIS, and if you switch the user to [user_name] in a second moment. I'm wondering if you are keeping some privileges from a previous session.