Security aspects of removing a user from an organization or collection

I have a concern about safety of removing a user from a collection.

Someone on reddit said that each collection is encrypted using a collection key, and the collection key is encrypted with master key of members. So,w hen I remove a user from a collection, can he retain the right key of collection forever? Probably the web server then will refuse to send encrypted items for user. But If he can grab an export from the server (e.g. sql dump) he can probably decrypt all new secrets in collection with the old collection key. Is this correct?

There is no per-collection key; there is a single organization key used to encrypt all entries (in any collection) belonging to that org.

In principle, the user could retain that key and use it to decrypt other items belonging to the org, if they’re able to access them somehow. AFAIK there is not currently a supported way to rotate the org encryption key.

According to Bitwarden’s security white paper

When you create an Organization, an Organization Symmetric key is generated using a
Cryptographically Secure Pseudorandom Number Generator (CSPRNG). The Organization
Symmetric Key is encrypted using the public key from your Generated RSA Key Pair. The
private key from your Generated RSA Key Pair is encrypted with your Generated Symmetric Key using AES-256. The Generated RSA Key Pair and Generated Symmetric Key were created
when you first signed up and registered your account.

I’m not a cryptography expert, but I would venture to say the threat is minimal. In the event this could be done, the user would need their account encryption keys as well as access to your hosted server or database.
In the instance someone has control to your server, you would have far more possible situations that could arise rather IMO.