I have four bugs. Bug One depends on Bug Two which depends on Bug Three which depends on Bug Four. Bug Two and Bug Three are private. If I view the dependency tree for Bug One, the 'View as bug list' contains a link to Bug Four. This should not be because the user is unaware that Bug Two depends on Bug Three. An example of this is at the tip: https://landfill.bugzilla.org/bugzilla-tip/showdependencytree.cgi?id=20901&hide_resolved=1 The bug list link contains Bug Four.
IMO, that's not really a security bug. You still cannot know what the security bugs are about. I agree that once a bug you cannot see is found, the recursion should stop at this point.
And actually, this bug is known for years and is public.