Activate the glide.email.email_with_no_target_visible_to_all property to restrict user access to emails, unless they were the one who sent the email or have an admin role.

Unauthorized users are able to access emails in the sys_email_list table that are missing a target record. Instead of enforcing ACLs on email entries, this property restricts access only to the email sender and users with the admin role.
Note: Emails sent to and received by the instance appear in the sys_email_list table. However, only received emails that were marked with an Error and Ignored state should have an empty target table.

More information

AttributeDescription
Property name glide.email.email_with_no_target_visible_to_all
Configuration type System Properties (/sys_properties_list.do)
Configure Access control
Purpose To block email client from showing emails when user doesn't authorize access.
Recommended value false
Default value true
Security risk rating 6.5
Functional impact Users are no longer able to see emails where target table is empty unless they are an admin or were the sender of the email.
Security risk (Moderate) If the property is not enabled, unauthorized users are able to access any email where the target_table field is empty.
References

Advanced email properties

https://support.servicenow.com/kb_view.do?sysparm_article=KB0690043

To learn more about adding or creating a system property, see Add a system property.