Server shouldn't send confidential comments to author
On the client there is logic to hide confidential comments from non-admins. However, there is no corresponding logic on the server to prevent confidential comments being sent to the client. This is unsafe, as a tech-savvy author could still access these comments.
We need logic on the server to strip confidential comments from returned objects if the user is not authorised to see them.
As a general principle, if a user should not see certain data, that data must be blocked/stripped/redacted on the server. Checks on the client should only ever be cosmetic, e.g., not showing a field if that field was not supplied by the server.