I ran across this same issue after upgrading to Paris. I sent it off to HI to see what they would say and here's what they came back with. I hope this solves your issue. 


I can confirm this is not a bug, but a fix to an existing problem impacted before Paris, we used to have a problem PRB1406163 'EmailDisplay Processor does not evaluate read ACL's on email before displaying the body' which posed a security concern that the non-admin user able to to see sensitive content from email in activity stream on records, even the non-admin is blocked from seen the content in record on [sys_email] table due to ACL, now since Paris we have fixed PRB1406163 and introduces newer security features within the Email read ACL such as Email Access Restrictions in activity stream on records.

Before Paris, I believe the behavior is non-admin user can see the email content in the activity stream of record which the user has access to, we regard this as a security concern that content being visible by non-admin, and list this behavior as 'step to reproduce' for PRB1406163, so we fix the PRB by updating the email processor script. Please see: https://hi.service-now.com/kb_view.do?sysparm_article=KB0860854 So this is expected behavior now the users cannot see email content in the activity stream of record since Paris - after we fix PRB1406163 to introduce the newer security features. However if the user which has access to the record, still would like to see email content in the activity stream - namely don't want fix to PRB1406163 being applied on Paris, please revert the logic in processor "EmailDisplay" 

for function process - to remove checking the email record accessibility logic - 'if (emailRecord.canRead()) showEmail(emailRecord);', so the reverted script for function process will be:

_______________________
function process() {
var email_id = g_request.getParameter("email_id");
var emailRecord = new GlideRecord("sys_email");
if (emailRecord.get(email_id)) {
showEmail(emailRecord);
} else
g_processor.writeOutput("No such email");
}
_______________________

and remove
_______________________
function process() {
var email_id = g_request.getParameter("email_id");
var emailRecord = new GlideRecord("sys_email");
if (emailRecord.get(email_id)) {
if (emailRecord.canRead())
showEmail(emailRecord);
else
g_processor.writeOutput(GlideSysMessage.format("Insufficients rights to read the email body"));
} else
g_processor.writeOutput("No such email");
}
_______________________

Also please don't remove admin required in read acl for the [sys_email] table due to it's OOB setting, we don't want non-admin to access records on [sys_email] table.

On the other hand, there is an alternative option - create rule on notification accessibility for the users of the role https://instance.com/email_access_restriction_list.do?sysparm_query=&sysparm_view= this is advsied in https://hi.service-now.com/kb_view.do?sysparm_article=KB0862403 https://docs.servicenow.com/bundle/paris-servicenow-platform/page/administer/notification/task/control-visibility-emails.html

Here is what we found. There is an ACL that is stopping from displaying the contents of the email. This is a OOB ACL which mostly targets the HRDS application.

ACL: sys_email

Sys_id: 24ee8c39534203002b76da86a11c088e

Disable it and you will be able to see the contents. Since we are not running the HRSD, we have disabled it and we are good.

I hope this works.

There's a table included in the script called "email_access_restriction". This table has some rules that restrict thr read operation over some record. For example we coulnd't see the approvals emails, so we modified the rule adding the requested for user.