Some sources could fire events for non public data.

Currently, the notifications don't have ACL.

They are fairly easy to add by consumers according the routing key when they're related to a specific project, so we could recommend that as a first solution.