Notifications are a free for all, security be damned.

[fhars]

Nimble automatically creates a Client Configuration Characteristic for every Characteristic that allows notifications or indications that is writeable without encryption or authentication:

mynewt-nimble/nimble/host/src/ble_gatts.c

Line 823 in c802fe7

rc = ble_att_svr_register(uuid_ccc, BLE_ATT_F_READ | BLE_ATT_F_WRITE, 0,

This allows any connected client to subscribe to any notification and get the values in plain text, independent of the confidentiality settings of the characteristic itself.

It should probably set the appropriate BLE_ATT_F_READ_* and BLE_ATT_F_WRITE_* flags if any of BLE_ATT_F_READ_{ENC,AUTHEN,AUTHOR} is set for the base characteristic.