In the admin console when assigning permissions you have the ability to give a person or group 'Manage System' permission. This means they can administrate the site, but can't see content that they do not have permission to see.
I've confirmed that this works for Spaces - although I can still see the space/subspace exists, and I can see there is content, I can't actually see the content listed anywhere or access it.
As far as I can tell this does not work for social groups. Someone has created a secret group, but I can still access that and see all the content. Surely this is an oversight, or am I doing something wrong?
It means that for some use-cases where a secure area is essential, we have to create it as a space, rather than a group. While I suppose this doesn't really matter, it actually drives more of the user management to the administrators, and not the group owner who would be more of an appropriate person.
I suppose we could give admin console training to people to do this but they are the kind of senior people that don't want to be involved in general admin - although would be happy 'inviting' people they want to their secret group.
Ok, so I think I actually found the solution here.
My admin user had - manage groups permission. I had assumed that would mean I could manage the groups I was a member of, but allows me to administrate any group. Removing that solves the permission issue.