Your contact group setup sounds ok. If you assigned the guest role then you have also enabled the setting to only show the objects the user is contact for. This is correct as a guest normally see all objects.
The notification inside CMK works a little bit different then the classic Nagios. The core sent a notification for every problem to the notification system. The notification system now looks what rules it has. You created a rule for your external user and as long as you don’t set any condition this user will receive every notification. The condition can be (or should be) the user group or you can set as condition inside the rule specific hosts. This i do if i only want to notify a special user about problems of his host. Without this user existing inside the monitoring as contanct.
I would say - don’t use notification rules without conditions - check this conditions if they are right.
Forbid the user to create “user specific notification rules”, as a guest you don’t have this right but as a normal user you can do this.
Check that every user that you don’t want to see all the things has the setting “only show hosts/services the user is contact for” activated.
There is no difference in the user rights and roles between 1.6 and 2.0, all the points are also relevant for 2.0