Project Access Tokens can access any "Internal" project

Since Gitlab V13, a new user is created implicitly whenever a project-level access token is generated. In V13 those users have the Maintainer role by default on that project, but as it is stated here, they have access only to that project.

We realised that with those project-level access tokens, you can access any project whose visibility is set as Internal. In fact, any user which is not an external user can access Internal projects. One of the consequences of this is that if we share a single read-only project access token with an external user, they can access any internal project in our Gitlab server instance, which we believe is an evident security hole. Is that an expected behaviour?