PII disclosure -- Past team members & their email ID(personal email) can be viewed by Staff member with no permissions on Partner Dashboard

Hi, I'm not too sure if this is intentional and a expected feature or was it really an unnecessary information disclosure. If this is intentional, kindly close this as `Informative` or allow me to self-close so as not affect my signal. From my perspective, I noticed 2 issues, __PART 1:__ Using Partners Dashboard a current team member belonging to a partner team with no explicit permissions can view past members of the partner team via Partner, their names, their personal email IDs and when they were removed from the Partner Team. __PART 2:__ Assuming if a deleted STAFF member from Partner team changes his email ID & name via `https://accounts.shopify.com/account` , then that change can be seen by all the current STAFF members of the Partner team. Vulnerable Endpoint - `https://partners.shopify.com/{PartnerTeam_ID}/memberships/removed` __STEPS TO REPRODUCE__ __PART 1:__ 1.Owner invites a STAFF1 to join Partner Team(Team_ABC) and assign any permissions. 2.STAFF1 receives invite and joins Team_ABC. 3.Owner removes STAFF1 from Team_ABC. 4.Owner invites a STAFF2 to join Partner Team(Team_ABC) and DOES NOT assign any permissions. {F352315} 5.STAFF2 receives invite and joins Team_ABC. {F352316} 6.STAFF2 then navigates to vulnerable endpoint to see past team members {F352317} 7.STAFF2 can then click on past team member and it reveals their email IDs associated with `https://accounts.shopify.com/account` {F352318} __PART 2:__ 1. STAFF1 who was removed from Team_ABC changes his name & email ID via `https://accounts.shopify.com/account` . 2. STAFF2 now refreshes the past members page in his partner team dashboard and is able to view updated name & email ID former team member STAFF1. Please watch the below video PoC {F352327} ## Impact As mentioned earlier in the bug report, I see 2 potential issues * Current Staff members of a Partner Account having `no explicit permissions` can view past team members page and can access details like names, personal email IDs and date when the ex-staff was removed. * The second is a much more significant issue where by current STAFF members and perhaps even owners can see the updated personal email ID(PII) of ex-Staff who was associated with the Partner account. This email is PII since the email is set via `https://accounts.shopify.com/account` . If ex-staff is no longer interested to work for the specific Partner account, then Shopify must honor their privacy by not exposing their updated personal email IDs in the Past Team member pages for the partner account which they were a part of in the past. If this is not done, the there are chances that Owner of Partner account can re-invite the ex-staff or restore their permissions for the Partner Account.