If your mx subdomain resolves to the same IP address as your web site (and it will be with default symbiosis setup), then yes, it is expected behaviour. Browsers will ask Apache for a web site, but Apache has no configuration that refers to it. So, it uses the first Apache configuration available. There likely won’t be a certificate that matches, but you could get that to work, if you wanted.
You could configure another subdomain aaaa.example.com to serve an error message, if you wish.
The same goes for the ftp subdomain, and a few others that Symbiosis thinks might usefully point to the server. And ANY other domain that resolves to your IP address, even if you don’t own the domain.
Alternatively, you could hack the DNS records to remove those domains, but that might mess with email delivery, or ftp access, and so on.