Like described in bug 196981, there is a discrepancy between participation checking done using IPerson.inTeam() and by joining the TeamParticipation table.
One consequence of this is that in the case where the owner isn't a member of the team, a team owner wouldn't see a team-owned private branch in a listing (filtered using TeamParticipation) but would still be able to see the branch by navigating to it (checked using inTeam()).
(This is not really a security issue, because the owner could always have access by adding himself to the team which he's entitled to do.)
Instead of forcing owners to have a membership record, it's cleaner to simply remove the special case in inTeam() and modify security adapters that need to also grant access to the team owner explicitely.
* Make owner really distinct from membership and remove the special casing. This will permit delegation (e.g. a CEO can delegate a security team) without any blurring of the lines or confusing behaviour.