So, you may be asking, what's the big deal? With iOS 11, lock screen notifications are hidden by default on the iPhone X, and will only display if the user authenticates with Face ID (or Touch ID on lesser iPhones). For example, on an iPhone X, you'll see a notification on your lock screen that simply says “Facebook – Notification” if you aren't actively looking in the direction of the Face ID sensor. However, when you put your face into view to unlock the device, the contents of the notification will automatically be revealed.
With the newly discovered bug, Siri will read out lock screen notifications from third-party apps from a locked iPhone, even if message previews have been turned off. Siri doesn't perform any checks to see if the rightful owner of the iPhone in question is making the voice request, so anyone within earshot of the device can call out to Siri and request that notifications (including the contents of messages) from apps like WhatsApp, Facebook Messenger, Skype, Gmail, etc. be read aloud.
The amount of data that is read aloud depends on the app, but in the case of an app like Gmail, the sender of the email, the subject line and the first few lines of the message are read aloud. This is certainly unacceptable for a device that is supposed to be locked.
Interestingly, most of Apple's own built-in apps -- including iMessage -- don't allow for this breach of privacy to take place. Asking Siri to read the contents from these apps will instead ask for you to first unlock your iPhone.
Until the fix is released, the only way to prevent an unauthorized user from accessing your notifications (in audio form) is to turn off lock screen notifications for each individual app (which is a bit of an inconvenience) or have Siri disabled by default when your device is locked.