JIRA works by GRANTING access. You can't restrict access. By default, it grants access to the group used to logon (used to be JIRA-users but may be different on your version).  This is probably where they’re getting the access from.

1. The FIRST thing you need to do to get control is to remove any groups with logon privileges from the permission scheme unless you absolutely want everyone to have that permission.
2. Then I suggest you setup Project Roles for the various functions like, tester, QA, Browse Only, etc.
3. One permission scheme will cover almost all projects. The project admin controls project role membership

This may be a big effort, but it will payoff down the road by making it easy to control access.

I had a very similar problem and it took ages to resolve. In my case, it turned out that:

In our default permissions scheme "reporter" was allowed to have admin rights. I removed that, and bingo! Reporter is not a group, it is not a role, it is whomever creates an issue! I removed "reporter" from the admin section of the project scheme and boom. So, check that part of the scheme for the projects your user can see. Hope it helps!

Hello @Jean Pyronneau

Check your permissions scheme, check groups added to the permission scheme, and users added to it.

https://confluence.atlassian.com/adminjiraserver073/managing-project-permissions-861253293.html

Also is any of those projects Service Desk?