[infosechandbook]

> the user isn't really in control of who can see this information

Server-side parties (e.g., the admin) can see the status information without adding somebody to the group. It is in cleartext, passing the server.