Currently, if you create a note or activity within a contact record, that note or activity is not permissioned by default.

While permissions can be set for the contact record itself, so that others are not able to view the notes and activities inside the record, there is still a way for the entire database to see it.

On the dashboard, it will show you all notes within the lat 7 days CRM-wide and all unfinished activities. These notes and activities include the contact name that is tagged to it and could potentially contain other confidentail info.

It is not necessarily intuitive to have to set a permission for a note or activity when the contact record is already permissioned.

Therefore I believe that a note or activity should inherit the same permissions as the contact record is is part of.