In this lecture, at the end Ryan, states that it takes 4 to 48 hours for the restrict bucket access to take effect. I believe this is outdated information.
Currently, by default, newly created S3 buckets have block public access (BPA) enabled, and it must be explicitly disabled in order to be able to make an object public.
When you go back into your CloudFront distribution, enable restrict public access, create a new OAI and have it update the bucket policy, what it actually does is create a bucket policy which grants the OAI s3:GetObject permissions for the objects in the origin bucket. What it does not do is modify the BPA settings or create any deny statements in the bucket policy. So, if you unblock BPA, and use the CloudFront console to create the OAI and update the bucket policy, then it will not truly restrict the access to the bucket so that only CloudFront can access the bucket. You must also go in and remove policy statements which grant public access from the bucket policy, remove any public ACLs from objects or enable BPA on the bucket.
This is reflected in the CloudFront documentation.
If you go back into the S3 bucket after creating the OAI and updating the bucket policy through CloudFront, and enable BPA on the bucket again, then it will immediately block public access and only allow users to access the objects through the CloudFront distribution.
Good catch!