When preparing a module list (e.g., queried by "rsync hostname::"), the daemon should filter out modules that are denied by hosts allow/deny, password rights, etc. This both reduces information leakage, and assures that the module can actually be traversed.
Note comments here: http://lists.samba.org/archive/rsync/2007-January/017014.html
My use case was a module for which access was restricted to one IP address (a backup machine). I didn't want the existence of this module to be known to arbitrary users (information leakage never being a good thing). I ended up using two rsync daemons, with the private one protected by iptables on a non-standard port, to prevent the announcement of the modules' existence. When I wrote up the feature-request, I added the password rights issue.
*** Bug 8506 has been marked as a duplicate of this bug. ***