We have a Discourse site which includes lots of public discussion, but we also have some categories where we discuss private NDA’d materials.
The category itself seems fine… people trying to access it without permission are rejected.
The issue is that the group we use to secure that category is visible to everyone. People outside that group can not only see that the group exisits, but also see the members of the group.
It seems to me that groups need as much privacy as categories do.