I believe I have slightly configured the roles to match my expectations… and yes, changing “See all host and services” to no is one of non-defaults I’ve set it appears.
This isn’t just a rule for that user, but a notification rule that specifically belongs to that user. I would’ve expected the contact group filter to be implicit, especially because…
I do want to expand user privileges a bit further to allow these third parties to properly ack their stuff etc. and configuring their own notifications would be nice too, less for me to babysit. But if I can’t actually lock down what they get notified for, that would be a problem.