Submodule can be accessed via pipeline by unauthorized user

Question

Please help us tell what we is the issue here.

1. Create two projects and two users P1 and P2, U1 and U2.
2. Add U1 and U2 in P1 with U1 being administrator/maintainer and U2 being a developer.
3. Create one branch in P1 apart from the main branch and the U2 can use that branch. And make the main branch protected and do not allow "Developer" to push/merge.
4. Now add U1 as an administrator in the P2 project which only has one branch (main branch).
5. Create a submodule with the latest changeset of P2 inside the P1 root folder.
6. Here the user with his own P1 branch can not view any files of the created submodule
7. Create a pipeline with default git CI-CD yml file containing a set of instructions to list out all the files in the root folder of the P2 project's main branch.
8. The user U2 cannot have permission to start the pipeline if it's manually triggered. Also, he cannot edit the yml file in the main branch.
9. But the user U2 will have access to view the .gitmodules file which is in the P1 project root folder. There he can see the path of the root folder of project P2.
10. Now he can add his own statements in his own branch's git CI CD pipeline editor and can run the same pipeline.

While the pipeline runs, the folder contents are being listed to user U2, which it should not right?!