1 files changed, 6 insertions, 9 deletions

diff --git a/app/services/todos/destroy/entity_leave_service.rb b/app/services/todos/destroy/entity_leave_service.rb
index dfe14225ade..1fe397d24e7 100644
--- a/app/services/todos/destroy/entity_leave_service.rb
+++ b/app/services/todos/destroy/entity_leave_service.rb
@@ -23,10 +23,10 @@ module Todos
         return if user_has_reporter_access?
 
         remove_confidential_resource_todos
+        remove_group_todos
 
         if entity.private?
           remove_project_todos
-          remove_group_todos
         else
           enqueue_private_features_worker
         end
@@ -68,7 +68,7 @@ module Todos
         return unless entity.is_a?(Namespace)
 
         Todo
-          .for_group(non_authorized_non_public_groups)
+          .for_group(unauthorized_private_groups)
           .for_user(user)
           .delete_all
       end
@@ -104,16 +104,13 @@ module Todos
         GroupsFinder.new(user, min_access_level: Gitlab::Access::REPORTER).execute.select(:id)
       end
 
-      # since the entity is a private group, we can assume all subgroups are also
-      # private.  We can therefore limit GroupsFinder with `all_available: false`.
-      # Otherwise it tries to include all public groups. This generates an expensive
-      # SQL queries: https://gitlab.com/gitlab-org/gitlab/-/issues/325133
       # rubocop: disable CodeReuse/ActiveRecord
-      def non_authorized_non_public_groups
+      def unauthorized_private_groups
         return [] unless entity.is_a?(Namespace)
-        return [] unless entity.private?
 
-        entity.self_and_descendants.select(:id)
+        groups = entity.self_and_descendants.private_only
+
+        groups.select(:id)
           .id_not_in(GroupsFinder.new(user, all_available: false).execute.select(:id).reorder(nil))
       end
       # rubocop: enable CodeReuse/ActiveRecord