It’s possible to add category notifications (via /g/[group_name}/manage/categories) for categories a group does not have permission to see. For instance, you can set all members of Trust_level_0 to watch the Staff category. There is even a prompt to apply the change historically:
This would be very bad 
if Discourse actually made that change and started showing random users what staff members are saying in private. Thankfully the prompt is a lie. After making this very scary change (on a staging instance) I could impersonate a random user and see they didn’t have this set in their tracking preferences (/my/preferences/tracking/) and don’t get notified of new activity. Category security is working as expected.
That said, when I look at the user’s tracking preferences while logged in as an admin, I see this:
I can add them to all sorts of private categories, which can cause momentary panic if you don’t know that Discourse is managing things correctly behind the scenes.
I think the right approach would be to disallow admins from setting the tracking preferences for categories users can’t actually read. That means I can’t manually add a category while visiting another user’s profile unless they are in a group that can see the category. And if I use the bulk update to add an entire group to a category, I get an error if the group doesn’t have permission to read the category.
Is there any reason to let admins add notification settings that don’t actually send notifications? The only case I can think where it might make sense is if the admin plans to open up a category in the future and wants to have notifications for the appropriate group to be ready in advance. (But I don’t know if that’s a reasonable thing to do.)