High Security Permissions Risk with Box Teams Integration on Private Channels that gets Box folder Auto-Created
Box support needs to address this error immediately.
Currently, Teams Private Channels are not supposed to have the ability to add the Box app. The behavior we've seen is that if the private channel already exists prior to adding the Box app to the Teams group, the Box app gets added to that private channel as well where it auto creates a Box folder. It works if private channel is added after Box app has been added to the Teams group.
The response I got from Box support is that they are planning to eventually integrate the Box app in private channels.
In any case, Box for Teams Permissions seems to be adopting the top level permissions from the Teams group level is posing a high security risk to the permissions that should only be allowed to private channel users. Users from the same Teams group can access the private channel folder created in Box and can modify anything.
Since Box won't fix the auto-creation of folders from a private channel, Box will need to auto-identify to only allow the permissions to select users for the Box private channel folder that was auto-created.