The new notification feature for @mentions in an issue sends mail to
users not included in the group the comment visibility is restricted to.

This can be reproduced by the the following scenario:

• user A is member of the group SECURITY
• user B isn't
• user A creates a new issue, without restrictions
• user A mentions user @B in a comment
• user A doesn't want user B to read this comment, so he uses the
  "restricted to" feature for comments and restricts the visibility for
  this comment to the group SECURTY
• now user B can't see the comment in the issue (as expected), but
  because he is mentioned he gets a mail notification with the whole
  comment (which is absolutely unexpected and unwanted!)

This only happens, when the reporter of an issue is already part of the
SECURITY group. Otherwise the restriction works for the mail
notifications too.

Such a behaviour can be very serious, especially when user B would be an
external customer, who should never see such a comment.