I think what’s happening is just a UI problem. When you switch to a group, a hidden error is occuring, and so the UI keeps the data from the previous list. The users shown are not actually members of the private group.
If you visit this link directly: https://meta.discourse.org/u?group=testgroup then the list is empty. If you switch to ‘team’, and then back to ‘testgroup’, the list of ‘team’ members remain.
So there’s definitely a bug, but it’s not actually revealing any sensitive info. Does that match up with what you’re seeing?