Viewing the develop page for a group you are not authorized to edit places in correctly blocks access (although, it’s just a white page instead of an error): https://www.roblox.com/develop/groups/3059674
However, the “Load more results” ajax endpoint does not have such a security check, thus you can list all assets and places of any group unrestricted:
https://www.roblox.com/build/assets?assetTypeId=9&groupId=3059674&startRow=0
https://www.roblox.com/build/assets?assetTypeId=13&groupId=3059674&startRow=0
This is especially bad for Roblox event games where listing the inventory of a group could result in finding leaked assets for not-yet-released promotions. As far as I know, there’s no existing API for listing the inventory of a group, so this endpoint is leaking information that is otherwise inaccessible to the public. (It’s still possible to crawl asset IDs or for unreleased assets to pop up in the Recommended section, but at least that’s harder to pull off.)