If that external person was put on the task as a collaborator (correctly or incorrectly), then it makes sense that they would have access to everything on that task, right? (In order to collaborate/work on a task, you need to see what you’re working on.)
Unfortunately not. Having the project be private makes it pretty inaccessible to others, but explicitly adding someone as a collaborator on a specific task is I think the one way to override that privacy, for that one task only.
The only thing I know of to prevent that is in an Enterprise-level Asana subscription, there is an Admin option to block normal users from being able to include guests in an organization.
I looked for a thread in the Product Feedback forum section for something like “Have the option to disable task collaborators who are not project members” but couldn’t find anything like that - so you might want to create such a thread in that section, so people can vote for it if they agree it’s needed.