Yes, your concern is valid as allowing external users like your candidate access to the GCP project within your business organization is very risky. If not managed carefully, external users could potentially gain access to the resources and/or services that are sensitive and integral to your business. The safest approach for you to do this is by creating a separate GCP project under the same organization dedicated only for your test project. When doing so, also take note of the following:
Use Predefined IAM role and grant specific access to Google Cloud resources.
Set up billing and budget alerts to avoid unexpected costs.
Enable audit logging to monitor your candidate's activities.
Revoke access once the test project is completed.
For further reference you can check this related article.