When viewing a User on the admin/users page the Primary Email and Secondary Email fields are hidden, and require permissions to view:
But the same email is shown unprotected when using SSO further down the page:
Expected: SSO Email is protected like the Primary and Secondary emails.
Actual: SSO Email is not protected, and visible to moderators even when site settings forbid showing emails to moderators.
One more comment, I mentioned email but really even the External ID can be sensitive info too.