Configuring the SMCP in clusterwide mode using matchExpressions in the spoec.meshConfig.discoverySelectors using for example what is described in the our documentation [1] can lead to many openshift-* projects being scrapped by istiod and be included in the service registry.
This seems to be extremely dangerous and breaks the security foundation of Openshift. Istiod shouldn't be able to get any information from openshift-* projects and therefore proxies have visible information of services and endpoints from these projects.

Example:

$ istioctl pc all productpage-v1-c4569599f-mg59z.bookinfo
listener/172.30.244.221_443 172.30.244.221 443 ALL Cluster: outbound|443||api.openshift-apiserver.svc.cluster.local
listener/172.30.247.249_443 172.30.247.249 443 ALL Cluster: outbound|443||metrics.openshift-authentication-operator.svc.cluster.local
listener/172.30.253.229_443 172.30.253.229 443 ALL Cluster: outbound|443||metrics.openshift-kube-controller-manager-operator.svc.cluster.local
listener/172.30.30.78_443 172.30.30.78 443 ALL Cluster: outbound|443||cluster-baremetal-webhook-service.openshift-machine-api.svc.cluster.local
listener/172.30.35.2_443 172.30.35.2 443 ALL Cluster: outbound|443||router-internal-default.openshift-ingress.svc.cluster.local
listener/172.30.35.93_443 172.30.35.93 443 ALL Cluster: outbound|443||console.openshift-console.svc.cluster.local
listener/172.30.4.206_443 172.30.4.206 443 ALL Cluster: outbound|443||metrics.openshift-etcd-operator.svc.cluster.local
listener/172.30.41.88_443 172.30.41.88 443 ALL Cluster: outbound|443||csi-snapshot-controller-operator-metrics.openshift-cluster-storage-operator.svc.cluster.local
listener/172.30.55.123_443 172.30.55.123 443 ALL Cluster: outbound|443||metrics.openshift-kube-storage-version-migrator-operator.svc.cluster.local
listener/172.30.68.205_443 172.30.68.205 443 ALL Cluster: outbound|443||apiserver.openshift-kube-apiserver.svc.cluster.local

endpoint/10.130.0.35:8443 HEALTHY eu-north-1/eu-north-1b outbound|443||api.openshift-oauth-apiserver.svc.cluster.local
endpoint/10.129.0.55:8443 HEALTHY eu-north-1/eu-north-1c outbound|443||api.openshift-oauth-apiserver.svc.cluster.local
endpoint/10.0.138.122:6443 HEALTHY eu-north-1/eu-north-1a outbound|443||apiserver.openshift-kube-apiserver.svc.cluster.local
endpoint/10.0.185.239:6443 HEALTHY eu-north-1/eu-north-1b outbound|443||apiserver.openshift-kube-apiserver.svc.cluster.local
endpoint/10.0.211.126:6443 HEALTHY eu-north-1/eu-north-1c outbound|443||apiserver.openshift-kube-apiserver.svc.cluster.local
endpoint/10.128.0.42:9202 HEALTHY eu-north-1/eu-north-1a outbound|443||aws-ebs-csi-driver-controller-metrics.openshift-cluster-csi-drivers.svc.cluster.local
endpoint/10.130.0.11:9202 HEALTHY eu-north-1/eu-north-1b outbound|443||aws-ebs-csi-driver-controller-metrics.openshift-cluster-csi-drivers.svc.cluster.local
endpoint/10.128.0.42:9203 HEALTHY eu-north-1/eu-north-1a outbound|444||aws-ebs-csi-driver-controller-metrics.openshift-cluster-csi-drivers.svc.cluster.local
endpoint/10.130.0.11:9203 HEALTHY eu-north-1/eu-north-1b outbound|444||aws-ebs-csi-driver-controller-metrics.openshift-cluster-csi-drivers.svc.cluster.local
endpoint/10.128.0.42:9204 HEALTHY eu-north-1/eu-north-1a outbound|445||aws-ebs-csi-driver-controller-metrics.openshift-cluster-csi-drivers.svc.cluster.local