Recently I have noticed that companies that use Google Suite have a fairly common misconfiguration that is making their internal groups public. In some cases it is just the name of the groups but in some extreme cases the content of the posts are public.
Testing for this misconfiguration on your domain is as easy as looking at:
Google has (not really clear) instructions here on how to lock down your groups so they are not public. I have notified as many of the domains that I can that they have a misconfiguration but I am not able to notify everyone and Google has seemed to file this under
It's not a bug, it's a feature.