With project/matrix based security, a user requires Overall/Read to do anything in the web UI. That is, even with permissions on a folder they cannot see anything and get the infamous “user is missing the Overall/Read permission”. But with the Overall/Read permission they can see all the other users (via e.g. /asynchPeople/). So there doesn’t seem to be a way to limit access to the user information – which, depending on context, is a data protection issue.

(tested on Jenkins 2.220)