I am interpreting this to mean that if I as user A receive a notification to a channel that I have set up, then user B and user C will also see this notification, irrespective of their various permissions. Am I understanding this correctly, and if so, doesn't this qualify as an information leak?
No: it is a public broadcast, with no permissions implied (or allowed!). However, you can certainly store sensitive information elsewhere (e.g. a table), and use the notification as a way of signalling "hey, check the secure drop box, I just put something inside there"
If you still feel the docs are unclear about this, we are always welcome to wording suggestions.
