It looks like we need to refine the logic in visible_groups a little more.
In this case, since theme_authors is visible to Everyone, the warning is superfluous.
SECURITY: Category group permissions leaked to normal users. · discourse/discourse@0f7b987 · GitHub
It looks like we lost that logic when this line was removed. We’ll need something similar on the backend, since we’re not exposing that info to the client anymore.