The least amount of access you can give a user is to restrict them to ONLY assigned clients and leads.

So if you DO NOT assign them any leads or client you would expect that user account to have no access.

But that's not the case... the account can still access:

Affiliates - even when there is a clear permission for Affiliate Commission & Payment (add/edit/view). So an account that you specifically deny access can still see all your affiliate info.

Cloud mail - account with no access can view cloud mail information

digital signature records - account with no access can still view all past client signed contracts which have all the clients data.

There is a clear lack of fundamental security on this platform, for a service that handles thousands of peoples financial data I'm very surprised and disappointed. And with the addition of the markethub you should expect people hiring admin teams that only need access to markethub and not CRC, so please implement the correct IAM controls.