Follow-up from "Store mentioned users, groups, projects in DB using postgres array type"

This issue is to keep track of checking that access checks are not altered by changes added in !19088 (merged)

The following discussion from !19088 (merged) should be addressed:

• @DylanGriffith started a discussion: (+1 comment)

  I recently learnt that sometimes a user can be mentioned in a comment but not notified about that if they don't have access to that comment. For example on a confidential issue where they are not a member of the project. I'm curious to know if this will be correctly represented by the way you store the data and handled properly. We wouldn't want to leak those issues to the user later on a page that showed their subscriptions for example.