A common problem that we get is that channels that are meant to be private end up being exposed to many users. Usually, there is a simple solution to this.
Channel Type Permissions
Whether a user can view a channel is defined by the permission model of the Channel Type. To access the permission model for a Channel Type from the dashboard, you can click Overview then select the channel type you would like
The permissions are at the bottom of the page in the black JSON object. The permission that we are interested in is ReadChannel. We then want to look at the "roles" where this permission is applied. To simplify it, there are three main roles we are interested in, User, Admin, and channel_member.
User: if a user has the ReadChannel permission, they will be able to read any channel of this type, regardless of membership
Admin: same as above, they will be able to read any channel
Channel_member: This is the interesting one - only members of the channel will be able to access it. This is typically the permission you want for private channels.
All of the Stream default channel types are "private" except for Livestream. Livestream is the only channel type where all user roles have the ReadChannel permission.
Permission Checks Disabled
A common reason why a channel appears "public" is because permissions have been disabled. This is possible for applications in Development mode and is not really recommended unless you are testing under certain circumstances. With this toggle Enabled the above permission model is skipped, and all channels are accessible.
Connecting with an Admin
Another common reason why a channel appears as "public" is because the user you are connecting with is an admin. By default, admins have access to all channels client-side.