Thank you for reporting this. I am posting here for the benefit of anyone else reading this.
You describe that the get_user_info JSON call divulges user names. This is not a bug, but works as intended and is documented behavior.
I do intend to replace this API in the future with something that does not divulge user names, but it will be done when I rework the API because it’s an architectural change and is tied to a lot of other things that also need to change.
For the time being you can disable the “send funds to user” capability from any user roles that you do not wish to be able to see user names. These users will not be able to initiate internal transfers or use the [wallets_move] shortcode, but the deposit/withdrawal functionality will still be there.
Again thanks for reporting.