Users that belong to a site can bypass Control Panel permissions by using URL http://localhost:8080/group/control_panel/manage/-/sites to access the Control Panel Sites. The portal property sites.control.panel.members.visible has the default value set to true and allows this behavior to occur. By using the URL, the user can view Membership Type, Active status, and private sites which can be argued should not be viewed unless given proper permissions.
The default value should be changed to false to prevent this behavior to occur.
Let me know if there are any questions or comments about this.