When watching the DOC space, as a normal user I received creation / update reports (including content and version comments) for the Confluence 1.5-DR2 release notes as I would for any page.

When I went to see the the release notes it told me I was not in the confluence-developers group, so I shouldnt have got the notifications in the first place.

This is the first time I have noticed a security leek regarding to notifications, but there may be others as I havent actively looked for them.