After setting up Toad Security and adding FTP to be restricted, it is still accessible from Toad. The same behavior is seen for the following items:
Product defect. The items should not be included in Toad Security as they are not tied to database connections.
Waiting for fix in a future release of Toad for Oracle.