Audit logs currently expose a full user per log:

This implicitly grants a "read" permission to user, even if the audit logs are scoped to an organization. Either we should strip down the user's returned fields, or return striped fields if the caller cannot read the user.

It feels more consistent to strip the information from all audit logs. The information is not 100% correct today anyway. An audit log from 1 month ago is joined with the user's table from today. So the log line does not record the user's state at the time of the event.