I found the solution. If I pass the context to the GetGroups
method, it works.
var user = UserPrincipal.FindByIdentity(_principalContext, IdentityType.SamAccountName, account);
var userGroups = user.GetGroups(_principalContext);
Apparently, this limits the groups retrieved to the domain associated with the context. Although this is not intuitive because the context was used to retrieve the user in the first place!!!
This leads me to believe there must be groups from other domains being returned previously and permissions were as such to prevent accessing that information.