If "users send e-mail via board" is disabled (in email settings), all users can see email addresses (and even send email), even those who have the "send email" permission disabled.
This can represent a security hole, because email addresses are shown even to guest users no matter how you set the permissions of the anonymous user.
This is because the email icon is shown to everybody. This isn't a problem if email is performed through the board, because the permission violation is caught later. But, if it's not done through the board, all users can send email.
The fix for this problem is explained in this thread: