I was investigating an issue where a tester was able to view a note against an opportunity which they weren't meant to. This note was owned by a user from a different business unit and the security roles assigned to the tester allowed for business unit level read only of notes. I checked and triple checked that the tester wasn't inheriting any roles from teams or assigned a role that provided organization-wide visibility to the notes. I was stumped. Turned out my colleagues had seen this behaviour previously and its all about the configuration of the relationships from an entity (in this scenario, the relationship from opportunity to notes). The relationship type of 'Parental' allows for the owner of the record to view any associated records relating to that record!
To fix the issue, you need to set the relationship type behaviour to 'Configurable Cascading' and that allows for the related records to be governed by security roles purely.
Bit bizarre if you ask me...guess its a "feature" :)