Comment by sofixa

With OIDC, the "info" would be just a URL with the public signing keys that the server accepts as legitimate signers.

The server still does authorisation on top. And unless you control the private keys, you cannot mint JWTs that are accepted as legitimate.

So the "info" leaking is really not a problem.