By default all users created are added to the PUBLIC role. This is because there is a need for some access to metadata for all users. There are several DMV's that all users can see, but internally the results are filtered to only show information about that users connections. For example, sys.dm_exec_connections will only show the connections for that session.