I see I'm not the first to request this, but ...
I run a multisite for Toastmasters where each site is run by the leaders of a different Toastmasters club. By default, if multisite is activated, it creates a WordPress users list populated with the emails of all users from across the network -- exposing data that individual site owner shouldn't have access to.
I've come up with workarounds, but I'm puzzled why it can't be fixed in the core product.
Desired solution would use is_multisite() to detect that MailPoet has been activated in that environment.
Prompts the site administrator to decide whether the WP Users list should be enabled.
And/or on multisite, Multisite uses code like $users = get_users('blog_id='.get_current_blog_id() ) to retrieve only the users of the current blog and add them to the WP Users list.
Re: GDPR / security, I'd argue you're exposing yourselves to more risk by making it easy for multisite admins to misuse the software than you would by fixing the issue. I think I had this available as an optional plugin for site admins for some time before I realized that this was an issue.
Frustrating for me because I really like MailPoet and want to promote it to users of this network -- speakers and leaders who might bring the solution home to their own businesses and other organizations they work with.