If you ask me, any page whose behavior depends on the currently logged-in user's identity, including the list of groups they're a member of, is not "static" in any meaningful sense.
Most people use "static" to mean that there is only one version of a response body. I guess denying access is technically a second version of the response body, but that's kind of a stretch because the layer where the body lives (ok, the two bodies: one for 200 and one for 403) doesn't need to be capable of business logic (like conditionals, db queries, etc.) during the request/response cycle. It uses them in perpetuity without tailoring them to the session.