Right click on any Outlook folder. Properties. Permissions. "Default" means everyone. Users are, as we all know, challenging. Sometimes they figure out that changing "Default" permissions to Owner means thier mate sitting next to them can now read their Calendar, whcih is right but so can the rest of the company!
If user A can see users B's Vault and you are sure that there are no permissions set on the AD Mailbox Object to allow this then it is highly likely that user B has either delegated permmissions to user A somewhere in his Outlook tree or else he has delegated at least read permissions to "Default" somewhere in his Oultook tree (in which case you would be able to see it as well).
Hope this is helpful.