Able to mount NFS to a share's PARENT directory - How?

So I have a strange behavior occurring with my RHEL 6.6 NFS setup and I don't think it should be able to work like this.

On my RHEL6.6 NFS SERVER I have shared the following directories to two servers.

/data/toHIGH/stage
/data/toHIGH/bulk

Share options used:
/data/toHIGH/stage NFS_CLIENT1(rw,wdelay,no_root_squash,no_subtree_check)
/data/toHIGH/stage NFS_CLIENT2(rw,wdelay,no_root_squash,no_subtree_check)

/data/toHIGH/bulk NFS_CLIENT1(rw,wdelay,no_root_squash,no_subtree_check)
/data/toHIGH/bulk NFS_CLIENT2(rw,wdelay,no_root_squash,no_subtree_check)

On one of the RHEL 6.6 NFS CLIENTS some how one of my guys has mounted a directory to the PARENT of the two shares on the NFS SERVER.

So we have one of the NFS clients (NFS_CLIENT1):
/data/toHIGH/ is mounted to NFS_SERVER:/data/toHIGH/

HOW IS THIS POSSIBLE? i'm not sharing /data/toHIGH/ itself. This seems like a security problem to me. OH IT WORKS, but why?

Ideas?

Thanks much. I know Solaris 10 would have barked at me for event trying this.