User without visibility of group can tag group

Summary

User without visibility of group can tag group

Steps to reproduce

Have self hosted GL instance and a @companyx user group, a contractor for example who has no other visibility/privileges other than to his own contractor-project.

Have User create an Issue or Merge request and mentioning @companyx (He doesn't know this group exists because of his limited privileges)

What is the current bug behavior?

This will tag the members of @companyx (and add them as participants).

What is the expected correct behavior?

If a user doesn't have permissions to see a group (does not show as hint when typing @), they should not have permissions to tag or group or interact with it in any way.