You can select groups whose members can always see each other, regardless of their assignment to extranet spaces.

For example, you can define internal groups so that your own employees can continue to work together as usual, even in extranet spaces.
Internal groups are excluded from filtering by Space Privacy.
This can be done by defining Confluence groups here (you don't need a dummy extranet space).

Which users are extranet users allowed to see or not?

You can choose whether users that are not assigned to an extranet space should be visible to all extranet users or not.

"... that share at least one extranet space."
This limits extranet users so that they can see only the other users who are also assigned to one of their spaces.

We recommend this option for most extranet configurations.

"... that share at least one extranet space plus those who are not assigned to any extranet spaces."
Extranet users can see all other users who are not assigned to any extranet space. For example, select this option to allow all external extranet users to see all of your internal employees/users.

Which users can extranet user administrators assign to a space?

You can choose whether or not extranet user administrators can assign all users from the system. This option is relevant when you want to allow external users to manage their own extranet spaces.

"... that exist in the system."
All users that exist in your system can be assigned to extranet spaces by their extranet user administrator.

We recommend this setting when extranet spaces are managed by internal employees.

"... that are already assigned to extranet spaces where the administrator has access."
Extranet user managers can only assign users to their space with whom they share at least space.

We recommend this setting when external users manage their extranet spaces when they are assigned the extranet user manager role.