I'm trying to share a Rhodecode install between public/FOSS code and some private stuff. With 1.3 I can create a group and make it not visible to (for example) guests. However, if I create a repo in that group and leave its settings as default then it is accessible to guests who know the path.
The fix for now is to remember to set the repos to private as well, but it'd be useful and (IMO) more intuitive if repos in hidden groups were also hidden. Basically, default permission inheritance.