Users who does not have access to the product is available under user picker fields like reporter, watcher

Problem

When a user is provisioned and when the users does not have access to the product, the users who does not have access to the product are available under the reporter field of any instance under the enterprise org

Environment

Jira software
.

Steps to Reproduce

Take a user who is provisioned and has no product access.
Go to a Jira project under the instance and try adding the user under the reporter field
The user is available under the reporter field.

Expected Results

Users who does not have access to the product should not be available under the user picker field - Reporter

Actual Results

For a user provisioned through IDP, the users without product access, with site access is available in the same instance for Reporter field.
For a user provisioned through IDP, the users without product access, with site access is available on a different instance for Reporter field.
For a Non-synced IDP user with no site access, is not available on the same instance
For a Non-synced IDP user with site access and no product access is still shown on the same instance under the reporter field.
For a Non-synced IDP user with site access and no product access is still shown on the different instance under the reporter field.
Basically any user can be selected from the reporter field

Workaround

Notes

You can pick anyone from any site. This is very concerning as customer work with very sensitive content on other sites. This is a very big security issue for the customer and also problematic from a personal data management as everyone is visible to all really.

Customer is concerned that everyone with access to one of our Jira product can see everyone with access to any other products or sites within our Atlassian Enterprise Cloud.
When customers are working with a lot of external parties each dedicated on very specific projects on different sites and currently they can see other 3rd parties working with us while it shouldn’t be the case at all.
Even though the data is contained to who can see it, the personal information of our vendors is compromised by this list of users in the user picker fields.