The audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters.
This issue has been addressed in Weblate 5.12 via https://github.com/WeblateOrg/weblate/pull/15102.
Thanks to micael1 for reporting this issue at HackerOne.