...
An area of contention in JEMHC is the Auditing feature that currently exposes ALL inbound/outbound mail (content, images, attachments) to instance admins. Project admins can access the same type of data scoped to their specific project.
Disabling Auditing
JEMHC Auditing can be disabled entirely to address this with re-enablement only possible by going through The Plugin People support for tracking.
...
Covered Entity is responsible for configuring (1) what Projects generate JEMHC notifications (2) what Audience receives notifications (3) what fields are included in notifications (4) whether attachments (including images) are enabled (can be limited by type and size). As per incoming mail, JEMHC Auditing of outgoing mail retains copies of the content sent (text/html) as well as attachments, that are available through auditing, exposing all such data to the System Admin (Project Admins are able to see such data scoped to the local project).
JEMHC Auditing doesn’t affect Webhook storage, its a required feature for outbound notifications. If the storage or use of Webhooks on encrypted at rest storage is deemed unsafe, the only option is to not use JEMHC for notifications.
...