We have some repos which have more restrictive security than others. At the project level we grant no permissions, then at the repo level we grant access.
When a user clicks the "watch" button on a project, they receive email notification for pushes to branches for all of the repos in the project, regardless of whether they have access to that repo or not. Since the pull messages have commit information, this is sensitive information being leaked users that should not have access.
STEPS TO REPRODUCE
1. In a project where you don't have access to some of the repos, click watch
2. Someone pushes something.
3. You get an email
linux with stash v3.4.0-m1