If there is a custom field -user picker defined in the browse project section in permission scheme, then people who do not normally have permissions to view the project (and would not see the project on the dash) do see the project.
Removing the custom field user-picker from the permission scheme does remove the visibility of the project.
Confirmed behavior on client's dev instance via webex and on test
If there are multiple issues in the project, the unprived user can see what he actually does have perm to see (i.e. if he is defined as a user in the custom field that is in browse project section), but if there are 0 issues that he has access to, he is still aware of the project.
Reported in JSP-23027