Aha! I see what you are saying, to a certain degree, in that they are shown the hosts (not the databases, at least on mine). I went on to do some further experimenting:
Under the hosts section, they can enter the host (via phpMyAdmin link) with their user and password, but are only shown their databases (they cannot see databases assigned to other users). They can (using the “x” link) “delete” the host names used with other databases, but in my tests it has no effect on the availability of the host if it is defined as a host for another user. The connection still works, either programmatically or via phpMyAdmin, even though it no longer shows up on either user’s panel screen as a host (which is weird!).
What is even “weirder”, is that if you (as “master user”) or the other user then go back using your or the other user’s panel, and try to “re-add” the hostname, you/they are told it already exists. . DH is doing something behind the scenes (wildcard DNS?) with the hostnames that is not completely transparent from the panel screens.
As it is, I don’t see any real exposure here, as users can only access the databases they “own”, and their “deleting” of other hostnames appears to have no affect on the use of those hostnames for the databases that reference them - but I agree it does not look right that they can see the other host names.
This looks like a good candidate for a support ticket .