Hi, I am not sure if it is a bug or an expected behaviour but I think it is a problem for GDPR compliance. That info might be also accesible from other apps.
This issue has been reported by a user in our nextcloud instance. That instance, which has an A+ in Nextcloud Security Scan. The instance also has all email privacy scope set to “Private” by default.
The issue has been tested in other instances hosted in different servers.
To replicate the isuue:
While wrintg an email in rainloop app, even if a user has no contacts in his account, rainloop proposes the emails of all the instance users.