How can I make sure that users access their tasks via the workflow and not via the menu or launch pad?
The routing mechanism for work items uses roles and organizational assignments to determine who receives which work item. However the routing does not provide extra authorization checks based on the routing configuration. If you want to ensure that the tasks are executed within the workflow, and not via the standard transaction, service or MiniApp, then you will have to apply your own protection.