Issue:

With users from multiple external sources, there is not way to restrict user look up from other other source.

Example, All the users from multiple source ( it could be from multiple remote directories, or could have different email domains) working on a single project, would be able to look up users (Assignee and reporters) from all the sources without any restrictions.

Impact:

This is leading to client PII data being exposed across all clients which can be considered a security/data breach by our clients and against GDPR regulations

Possible solution

There should be some sort of permission restriction that let's us restrict client users ability to view users based on email domain possibly or based on security group  they are part of or security level assigned to the issue.