Hi, HRSD experts.

I have noticed a possible security risk that information on HR cases are VISIBLE to IT admins!!

As you know, after removing HR roles from Admin role, IT Admins cannot see HR cases.

And, the email records (on sys_email table) associated with HR case are evaluated if the user has the access to the HR case.

> The ACL, out of the box, runs a check to ensure that the user accessing the HRSD scoped record has the role of sn_hr_core.admin or has the access separately to read the target HR record
https://www.servicenow.com/community/hrsd-blog/inbound-email-security-for-hrsd/ba-p/2277516

However, there are two ways IT Admin can see the information on the HR cases.

1. Archive email
   As I have posted as below, IT admins can see archived emails including ones assosiated with HR case.
   https://www.servicenow.com/community/hrsd-forum/hr-email-security-archived-email/m-p/2532023
2. Approval Request email
   The emails generated by the OOTB "Approval Request" notification is associated with the approval task. Approval tasks are not accessible by IT Admins. Nut, they can access to the emails and see the description of HR case.

Have you ever noticed these risks? Have you ever done any treatment for these risks?
I have raised HI ticket regarding No.1 but troubleshooting by HI team is going on for more than a month. Let you know if I got any answer from them.