Private group permissions

We have a group set up for our company repositories (with private permissions), one of the projects in this group has an external developer who has been granted access. Conversation with the external developer leads us to believe that the developer is able to view the other repositories in the group, viewing his profile shows our company group as a group he is a member of but he doesn’t appear on the members list of the group.

Should the external developer be able to see (and potentially access) our other repositories?