I’ve just stumbled across this in another community. In that case, only the Espanol and Francais category should be visible. If you press ‘Private’ you’ll get a ‘This page doesn’t exist or is private’.
I tried to repro this on Meta and after pasting the url of some categories into the composer, I found that Support has a Bot testing category I cannot access but I can see it.
I tested it here and in another community and found that while subcategories show, any private top-level categories do not exhibit this issue.
For example, if I link both the Support category (a public category) and the Discourse Experts category (a private category), no embed in the Experts category appears (which may be by design, but I found it interesting). So, if I had access to a private top-level category but not all of the subcategories, I would be unable to see the subcategories when linking the top-level category in the composer.
Giving this one a bump as I can still repro here on meta with https://meta.discourse.org/c/support/6
Is this a small security issue?
For instance, if you had a parent support category for your customers (each with their own private subcategory that the other customers couldn’t see), they could get a sneaky peek at a list of who your other customers are by using this trick.