I'm using Project Matrix Authorization
Users are only supposed to view (get a list) of folders and jobs that they are permitted to.
All users (except admin) have only overall read permission on global level.
If I give access to some specific users to items (folders, jobs) in Jenkins root, that works as expected, the items are only visible for the users that have permission to view those.

If I create a folder in root and give A, B, C users permission to it and then in that folder create additional jobs one that only A can read another that only B can read, and also one for C all of the three users are able to list and read all the items in this subfolder no matter what the permission on the items in the folder is.
This applies for both folders and jobs in this folder.

I have explicitly tested this before and could swear I have seen this working as expected a few months before.
It seems that it just stopped working at some time. Maybe a plugin or a core update broke this, as Jenkins is kept up to date.

I have set priority to critical as if it is true that this has been working before this is a security issue.
If I'm not right please feel free to lower the priority.

Jenkins is ran in a docker container, I just browsed the repository and maybe this was working around 2.0 or 2.3 and broke since then.