Elasticsearch does not implement external user checks correctly
As documented here: https://docs.gitlab.com/ee/user/permissions.html#external-users
An external user should not have general access to internal projects. We do not check this at all in
This came to light because we're fixing external users being able to access internal snippets in 9.1.3: https://gitlab.com/gitlab-org/gitlab-ce/issues/30487
That fix is incomplete as elasticsearch in EE was never checked or fixed. However, it's a more general problem than just snippets - it should apply to all searches. Internal projects should not be visible to external users unless they have been explicitly granted access, just like for private projects.
I've advised that 9.1.3 should continue without a fix for ES + external users + snippets, but it's not really my call to make.