This seems like unintended behavior.
All of the group APIs I have found use a ?username=[thename] parameter which will not allow a traversal to occur.
The group funds member search API however uses a different format (as shown here):
This allows for URL traversals to occur (you can move up the web directory using …/…/) - this is causing the client side JSON parser to spit out an error since It’s requesting a page that is not returning JSON.
You can see the bug in action here: