In case a user gets the link to an organization membership page, he can see the members even if he doesn't belong to it. This should not be possible.
A scenario which shows it:
1. Login with jdoe, create an organization, go to it's members list page.
2. Sign out
3. Sign in with a different user which doesn't belong to the organization. After logging in, the user lands on the organization membership page, seeing the members.
This can also happen with sharing the link directly of course, but the above scenario shows how it can happen without intention.