Emailed Notifications to me should probably carry identifying information for me

I just noticed - the notification emails from Querki don't tell me what user they're being sent to.

This is a vector for a user with certain permissions (send _notify emails, maybe let other users create Things) to discover whether two Users in the Space are actually being run by the same real-life person. In private-invite Spaces this might not be a big deal, but IIRC there are less-private use cases for which I think this might be bad?

Example:

Have a Thing which can log who views it and when. (Its Default View creates a Thing using QL; you can then examine the created Things' Creators and Creation Times.) Actually, this level of permission might not even be necessary - if you can make a _notify email provide a link to anything which causes a generally-Readable Thing to be created when the user clicks on it, that'll do the trick. Wait until Identity A has just posted something. Send a _notify to Identity B only, with text information making it look like it's targeted for Identity A, pointing at the ViewLogger from #1. If Identity A and B are the same: the notification email shows up, the person clicks on it, and a view is logged for Identity A (since that's what they're logged in as). This is not proof-positive that the two identities are the same person, but fairly strong evidence. I suspect the ideal solution is for the link in _notify emails to carry "who this got sent to" context, so that if you click it while logged in as someone else, it prompts you to log in as the recipient or somesuch. But even just displaying who it got sent to is probably a good idea?