diff --git a/components/Collection/Util/Controller/FeedController.php b/components/Collection/Util/Controller/FeedController.php
index f0b3538da8..9e51d61080 100644
--- a/components/Collection/Util/Controller/FeedController.php
+++ b/components/Collection/Util/Controller/FeedController.php
@@ -50,7 +50,7 @@ abstract class FeedController extends OrderedCollection
         $actor = Common::actor();
         if (\array_key_exists('notes', $result)) {
             $notes = $result['notes'];
-            self::enforceScope($notes, $actor);
+            self::enforceScope($notes, $actor, $result['actor'] ?? null);
             Event::handle('FilterNoteList', [$actor, &$notes, $result['request']]);
             Event::handle('FormatNoteList', [$notes, &$result['notes'], &$result['request']]);
         }
@@ -58,8 +58,8 @@ abstract class FeedController extends OrderedCollection
         return $result;
     }
 
-    private static function enforceScope(array &$notes, ?Actor $actor): void
+    private static function enforceScope(array &$notes, ?Actor $actor, ?Actor $in = null): void
     {
-        $notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor));
+        $notes = F\select($notes, fn (Note $n) => $n->isVisibleTo($actor, $in));
     }
 }
diff --git a/src/Entity/Note.php b/src/Entity/Note.php
index efffb18613..3203f71d4c 100644
--- a/src/Entity/Note.php
+++ b/src/Entity/Note.php
@@ -410,7 +410,7 @@ class Note extends Entity
     /**
      * Whether this note is visible to the given actor
      */
-    public function isVisibleTo(null|Actor|LocalUser $actor): bool
+    public function isVisibleTo(null|Actor|LocalUser $actor, ?Actor $in = null): bool
     {
         // TODO: cache this
         switch ($this->getScope()) {
@@ -430,9 +430,12 @@ class Note extends Entity
                 }
                 return false;
             case VisibilityScope::GROUP:
+                if (is_null($in)) {
+                    return false; // If we don't have a context, don't risk leaking this note.
+                }
                 // Only for the group to see
                 return !\is_null($actor) && (
-                    !($actor->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
+                    !($in->getRoles() & ActorLocalRoles::PRIVATE_GROUP) // Public Group
                     || DB::dql( // It's a member of the private group
                     <<<'EOF'
                         SELECT m FROM \Component\Group\Entity\GroupMember m
@@ -440,7 +443,7 @@ class Note extends Entity
                             JOIN \App\Entity\Activity a WITH att.activity_id = a.id
                         WHERE a.object_id = :note_id AND m.actor_id = :actor_id
                     EOF,
-                    ['note_id' => $this->id, 'actor_id' => $actor->getId()],
+                    ['note_id' => $this->id, 'actor_id' => $in->getId()],
                 ) !== []);
             case VisibilityScope::COLLECTION:
             case VisibilityScope::MESSAGE: