As of Jira 7.13, it is understood that most, if not all functions related to a project are ruled by the Project's Permission scheme. On top of this, it is assumed by most users that Application access is on a security layer on top of the project's Permission scheme and this is generally true but there is an exception:
when a user is involved in a ticket as the reporter, watcher or assignee, and an event is triggered, the Notification scheme checks who should receive the notification for it, and it is required that each user has the Browse project permission.

When talking about the Browse project permission, one of the sections of options is Application Access and from that list, we have "Any logged in user". In theory adding this to the Browse Project permission will allow any existent user in the database to see the issues of the project BUT it does not consider if the users have application access and this leads to users without any application access (like Service Desk customers) to technically have browse project permissions even when they cannot log in directly to Jira. This itself is not a problem, as cannot log in to Jira after all, but this in turn enables an scenario with the Jira Notifications, as the Notification scheme does not validate application access either, and when an event is triggered, the validation seems to be like this:

1. Event fired (let's say Issue creation)
2. Checks the users/groups/roles involved included in the event (Assignee, Reporter, watchers, etc) and validates they have_Browse projects_ permission and sends the notification email to all that do (regardless of application access).

When a user creates and issue and sets another user as the reporter, if that new reporter does not have application access, and the previous scenario is met (Browse project permission including "Any logged in user" and Notification scheme including the reporter for the "Create Issue" or any other event), the user without application access will receive Jira notifications, showing internal comments and changes that would normally not be visible to customers.

All this make sense in a logical way but since the assumption for "Any logged in user" is that it does not supersedes the application access, the behavior seems counter intuitive.

The suggestion is to add a note in the Managing project permissions OR in the Configuring email notifications documentation pages, indicating that Users without application access will still receive notifications in this scenario.