Consider the following: via the web interface you add a comment to an issue and restrict the visibility of that comment to a certain group. Depending on the notification scheme in place, some individuals will get an email containing that comment. If one of those users reply to that email, that message is then viewable by all, which may or may not be expected.

What if there was an admin option to enable "plus addressing". Normally a comment would be emailed with the sender of jira@example.org. If there was this "plus addressing" option, and if a comment was created with visibility restricted to the "dev" group, then what if the sender became jira+dev@example.org? Then if a recipient replies, and assuming the JIRA email plugin knew how to parse plus addresses, this email comment would be posted with visibility restricted to the "dev" group like the original was. That way information doesn't leak out unexpectedly.

I guess an altnernative method might be to somehow contain the group info in the Subject line, as in [JIRA-1010:dev]. Though, the plus addressing seems cooler.