We have discovered a security issue with Planner emails. If you receive an email from Planner about new comments, reply to the email and add another address (external address in this case) then the added address gets updates on ALL new comments for that task.

Steps to reproduce:
-Assign a task in Planner
-Add a comment to the task
-When the email is received from Planner, reply to the email and add an external address
-Make another comment in Planner
-External email address gets the comment update.

There is nowhere in Planner showing this external address subscribed to updates, there is nowhere in Planner to remove this address from receiving updates. Planner updates should only be sent to members of the associated Office 365 group. Ticket was opened regarding this issue, was told it was by design and said to add this to User Voice.