There are REST endpoint which does not take admin permissions into an account when returning response.

With following permission denying to view a userC:

When listing client sessions:

GET | http://localhost:8080/admin/realms/test/ui-ext/sessions/client?first=0&max=11&type=ALL&clientId=7bb6b97b-67b6-4cc6-9d99-974c73ec9157&search=

Or when listing users with a certain role:

GET | http://localhost:8080/admin/realms/test/clients/7bb6b97b-67b6-4cc6-9d99-974c73ec9157/roles/test-role/users?briefRepresentation=true&first=0&max=11

The lists includes users who should not be visible.