We would like to limit what each user can see in the “activities” section of ownCloud.org .
So far, every user in our Cloud can view all activities, even those that were undertaken in folders that they have no rights to / i.e. cannot even view.
If users can see activities from files they have no permissions i would assume that this is a bug. At least if you're using one of the latest owncloud releases.