この問題に気づくに至った一連のステップは以下の通りです:
ステージドユーザーはグループのメンバーではないため、プライベートカテゴリ内の何らかのメールを受け取るべきではありません(トピックの作成者/OP であるとしても同様です)。
I think this is covered in the settings under your group at manage/interaction:
Posting
Who can @mention this group?
Who can message this group?
The workflow you described is intentional, and likely used more widely; we use it as a group inbox/support channel, which requires staged users (non-forum folks, like customers) to be able to email in to a private group used by internal support people.
If I were you I’d look at the forwarded emails behaviour setting. You maybe want “quote” or “hide”, depending on what your group is for. 
I don’t think the group settings are a factor here. The email is created as a PM and the email settings have expanded the audience of the message to the group PLUS the staged user.
As the user is part of the PM audience they will receive emails related to that PM topic.
Groups are just one type of recipient for a private message. They aren’t a container or a boundary for it’s distribution.
Oh I notice a confusion here, which is my fault. This is not a group PM.
This was in a topic created in a category that only a particular group members can access. Let me update the op as well.
Staged users don’t need permission to access a category, they will always have access to topics that they are staged into. If you forward an email into a category and the above settings are enabled they will behave like staged users within that topic.
This is how many discourse-based support communities work. They rely on this feature.
It’s working as intended, no information leaked you just weren’t aware of the implications of these settings.
Ah. Assuming all of this is intended, how do I now make sure that the staged user does not receive emails for further replies in that topic?
Do I need to delete the user?
If you delete the user you can anonymize their posts but that doesn’t stop a recurrence.
You can solve for the future by disabling the email parsing, disabling staged users, or educating your users not to do this unless they intend on the above outcome.