Hey Erik -
Great question! It sounds like you haven't modified the base permissions of the Default project- They allow all users to view the project and the workbooks within the project.
Generally, we consider it a best practice to remove permissions from the Default project before you start doing any "serious" work on the server. Why? Because all new projects that are created initially inherit the permission set of Default. So out of the box your IT folks can see in the HR project, HR people can see inside IT, and everyone can see inside Default. Nothing is locked down.
At this point, your best bet is to remove viewer/publisher permissions from Default for the groups you mentioned. If a group doesn't have permissions on a project, it won't show up in Project drop-down - problem solved.
Hope this helps!