It seems to that the default behavior of automatically attaching each and every group to a newly created private repository is wrong.
Here's my use-case: I have several projects that I've created. There exists a "developers" group and they automatically are given "write" permission (from the group) - I'm fine with that, however, now I'm bringing in a consultant to work on vary specific project - I create a "Consultants" group and add the consultant to that group. I now create a repository for his project - ok great, both the consultant group and developers group have write access. Now I create a new internal private repo for my developers - uh oh, the consultant is now given default access to the new repo - I understand that i can go into each repo and remove the consultant group (I really don't want them to have even read access to some projects).
I think it would be better to either have a "new repo creation" default list of groups that are automatically attached and/or force the repo creator to select which groups should have permissions to the repo when it is created so they made explicitly aware of who can have what access, if any to any repo.