Members of the special confluence-administrators group have access to all content on the site, however they should not see restricted content in search results or get notifications about changes on restricted pages.

There is a bug in the permission check for notifications about "contained" objects (comments and attachments) that result in the isSuperuser() check applying when these notifications are triggered by a space or network watch. This means members of confluence-administrators are emailed information that they are allowed to see, but should not be notified about.

This was introduced by my changes around super-user checking in CONF-18073, in Confluence 3.5.