I've just tried it and it does work.

That code has NOT changed in a long time.

So either your SOGoCalendarDefaultRoles is wrong, you're using a SOGoSuperUsernames or the calendar permissions are wrong.

Provide more evidence if you want.

User is not included in SuperUsers and the permisssions weren't changed for a long time. I checked it right now.
In TB and SogoWeb everything is fine. just in Outlook you see all details.

/ General /
[other entries]
SOGoCalendarDefaultRoles = ( PublicViewer, ConfidentialDAndTViewer, PrivateDAndTViewer );
SOGoSuperUsernames = ([our admin accounts]); // This is an array - keep the parens!

[] marks removed information; the admin accounts are not involved in the events in question.

i subscribe the calender of user1. i use the same user to subscribe in outlook and thunderbird. The rights in SOGoWeb are the same for every user but i post the rights direct from the user wich i subscribed.
In SogoWeb and TB everything is as expected. In OU i could see the private event.

Tested again.

sogo1 shares his personal calendar with sogo3:

public: view all
confidential: view date and time
private: none

Created 3 events from SOGo's web interface, each with a different access level.

sogo3 subscribes to sogo1's calendar and active the synchronize flag to have it in Outlook.

Outlook sees 2 events: the public one with all details, and the confidential one with only the title with a swapped value set at "(Confidential event)".

we reproduce your way. if we do it the same way like you. it works al fine. see screenshot 2017-02-23 15:41

BUT!!!
if we choose in Outlook -> add calendar -> from internet -> and use the webdav-ics url "https://sogo.example.de/SOGo/dav/sogo1/Calendar/personal.ics" in outlook the private rights are lost and you can see every event detail. see screenshot 2017-02-23 15:45
the green one is added with "Synchronize (Microsoft Enterprise ActiveSync) the red one is added with the WebDAV-ICS URL

forget screenshot 2017-02-23 15:42 the event names are to confusing and a i didnt make a sync

That has nothing to do with ActiveSync.

When you added that ICS subscription in Outlook, it requires authentication to access it. Then, you have provided "sogo1's" credentials and NOT the credentials of "sogo3".

Sorry that i lead you on the wrong track with Outlook EAS. That was our fault.

i dont have to enter credentials if i add the calendar this way.
And it works the whole time we use sogo before and sogo3 dont have the same rights as sogo1 he can't add, modify or delete events in the subscribed calendar.

Now we configure the outlook clients again with the Active Sync way on subscribed calendars. But the option is a newer one. In our roll-out version we didn't had this option.

But it don't fix this security hole and it keep the door open to get information to events thats are private or confidental.

If the calendar has been
subscribed in Thunderbird using the ICS link, rights settings are taken into account

Done a new test again this morning, all is fine.

This ticket would require investigation on the server itself.

What kind of investigation on the server would you suggest?
Do you need log files or sogo.conf? Then I need a less public path to submit it.

Investigation on the server itself means testing with a test account, debugging the log files, attaching to processes using gdb, reviewing configuration files, etc. That requires a valid support contract.

Thank you for the information.
We are going to renew our support contract (re. priority tickets) in the future.

Prior we have to wait if the decision to work with SOGo remains valid. In my opinion it should. But it's CIO's decision. It depends on the reliability of SOGo with Outlook 2013 as client.