You have created a scope to limit a user's ability to see certain functions, in this case, to limit the user to only see the Policy module.
The user is indeed limited to see Policy Management only, however, the user is able to see all the policies.
This is by design. Although the scope will limit the user's ability to assign policies only to machines in their current scope, they are able to see all the policies defined in the system.
Resolution / Workaround
There is no way to avoid this. Policies are not user-specific, they are system-specific, so any user with access to see the policies can see all of them, although only assign them to the Machines/Groups/Orgs in their scope.