Non custodial wallets receiving lightning address invoices with messages using LUD-12 still require a web server to handle the lightning address send flow, so presumably you’re either having that done for you via a service provider, or you’ve implemented your own, which most people probably have not. In the former, whoever runs the web service which supports your lightning address would have access to the messages attached to the payments.

Having implemented LUD-12 for SN, this is my understanding. If anyone spots an error in this, please share!