Symptoms
End users are able to view work notes though there are worknotes ACLs in place which restrict them from viewing it.
Release
All the available releases
Cause
The customer may have added have added the "Comments and Work Notes" field instead of "Comments" and "Work notes" fields separately. Since this is a separate field in the sys_dictionary for the task table, it will not evaluate the ACLs you have on "Work_notes".
Resolution
To resolve the issue, you have to remove the "Comments and Worknotes" field from the corresponding view and add "Comments" and "Worknotes" separately along with the activity filtered.
Additional Information
"Comments and Work Notes" is a separate field and the users will need to have a separate ACL to hide this from users without any roles. They need to have ACLs defined limit read/write access to the users with different roles. Please find the sys_dictionary definition of the fields below.
Comments and Work notes -
https://<instance-name>.service-now.com/nav_to.do?uri=sys_dictionary.do?sys_id=82d2bcd26f321100a0619e4eae3ee4a1
Additional Comments -
https://<instance-name>.service-now.com/nav_to.do?uri=sys_dictionary.do?sys_id=9d4034526f321100a0619e4eae3ee4f8
Work notes -
https://<instance-name>.service-now.com/nav_to.do?uri=sys_dictionary.do?sys_id=194074526f321100a0619e4eae3ee402