Feature Service shows that it is share to organization but it is shared to everyone. My data is not secure. Portal indicates that it is secure.

Respectfully, I’m struggling to reconcile how this can be described as “working as designed” when the sharing status indicates the data is secured to the organization—when in practice, it is not.

With over 30 years of experience as an ESRI customer, I understand there may be historical context and design momentum that contributed to this situation. However, the current behavior presents a real and significant disconnect between what is shown to users and what is actually enforced. In this case, the data is not, in fact, secure—despite appearances.

Perhaps "working as designed" per Esri's documentation might be a better way to put it. 

I'm not disagreeing with you, because it's misleading and easy to misunderstand unless you read Esri's documentation to get an understanding of how it works. I believe others have been in this situation, which is why some ArcGIS Ideas that David linked above have already been submitted for Esri to improve this. If the map image and feature layer truly are dependent on each other, then I think it would make sense for the permissions to be "linked" to each other. Meaning that if you change permissions to one, it forces you to change permissions to the other (perhaps giving you a pop-up message stating that). Otherwise, as you've encountered, it's misleading when the permissions in Portal state one thing, but in practice, are actually something else.