"list = no" correctly hides via rsync _server_::, however if one tries rsync _server_::_existing-module_/ and does not have permission, one gets @ERROR: access denied to _user_ from _client_, whereas an attempt for a non-existent module emits @ERROR: Unknown module '_non-existent-module_' If "list = no" is used for security purposes (can't think of another reason at the moment), this can be considered a security bug and thus I left severity at normal instead of labeling it minor.
It's easy enough to lie to the user and tell them that the module is unknown when they fail to access a module that has "list = no" set (while still logging the real error into the server's log file). I've checked-in a change to CVS.