Say you have a Jira instance accessible to customers - perhaps one project per customer, with locked-down permissions so customers can't view each others' projects.
Now say you create a new project:
Who can see this new project by default?
The answer is: everyone. Everyone with a Jira login, that is. Jira auto-creates a new permission scheme called Default software scheme to associate with the new project, and this scheme is wide open by default:
If having new projects exposed to all your customers is non-optimal, then you should edit Default software scheme to contain what you consider to be good defaults. New projects in future (Scrum or Kanban) will use your edited Default software scheme. You can even rename the scheme.
For instance, if you want to force the administrator to choose another permission scheme, you might like to remove all non-admin permissions from Default software scheme and give it a different name: