When displaying the notefield only file_rewrite_pluginfile_urls() is called. But there needs to be format_text() called first to

1. apply the selected format such as Markdown
2. apply all enabled filters
3. clean the text from embedded JS

As it is now, users can submit JS into their public notes, which is then executed in other users' sessions. That is serious security bug. Please refer to https://docs.moodle.org/dev/Security:Cross-site_scripting