you need to ensure the user is not in any Role or Group that might be leveraged in any project. Put this person in their own group, e.g. create a group for that client/project - Projxxx-client-group. Then give that group the desired permissions/notifications.

The best way to limit project access is by using project roles and in the permission scheme give the roles the permission you want like edit, browse, transition, etc. I don't know how cloud is setup, but on server everyone who can logon to JIRA is given permission to everything. 

First, by default JIRA has a horrible permission scheme that violates security best practices by allowing everyone that can logon to do just about everything.

JIRA works by GRANTING access. You can't restrict access. By default, it grants access to the group used to logon (see Global permissions to see the "can use" groups and admin groups).  This is where users are getting their access.

1. The FIRST thing you need to do to get control is to remove any groups with logon privileges from the permission scheme unless you absolutely want everyone to have that permission. 
2. Then I suggest you setup Project Roles for the various functions like, tester, QA, Browse Only, etc.
3. By using project roles, one permission scheme will cover all projects. The project admin controls project role membership
4. If the project leads want everyone that can logon access to the project they can add the logon group to a project role with the desired permissions.

This may be a big effort, but it will pay off down the road by making it easy to control access.

Most of the 'old timers' use project roles. It meets the best practice for security and gives complete control to the project lead for access to their project. JIRA comes with many project roles, but you can add more if you have a special need.