When chaining transactions through multiple parties, I see that the final recipient party has the entire transaction history visible to them

This is even if I use a non-validating Notary and suspect that this is because BroadcastTransactionFlow invokes CoreFlowHandlers.NotifyTransactionHandler which invokes subFlow(ResolveTransactionsFlow()) and is resolving the last transaction in the chain to obtain the entire history at the final recipient party.

Is this accurate? Is there a design rationale for invoking ResolveTransactionsFlow to obtain the dependent transactions as a part of the BroadcastTransactionFlow. Is there a suggested way to protect this information as a Cordapp developer?

Very good point: you have highlighted to fundamental difference between a distributed ledger (such as Corda) and a distributed database.

With a distributed database, it is assumed that the nodes trust each other and so they can take any data sent to them by another node in the cluster at face value. With a distributed ledger, we make a very different assumption: we assume that different nodes are operated by different parties and that they may be trying to cheat each other.

So if I send you a transaction that purports to transfer $1m at Chase Bank from me to you, you can't simply trust me that the money exists, that it is mine and that it is now yours. You also have to verify. You need to see a chain of evidence that starts with the issuance of the cash by Chase and which includes every transfer until it arrives at you.

Hence the ResolveTransactionsFlow: it is utterly fundamental to the integrity of the system. It's how I prove to you that what I'm telling you is unquestionably true.

I wrote about this in more depth here: https://gendal.me/2016/11/08/on-distributed-databases-and-distributed-ledgers/

However, as you correctly observe, this causes a problem... you might get to learn about stuff that I don't want you to know!

The good news is that Corda is by far the best Distributed Ledger in this regard... the ResolveTransactionsFlow allows you to grab the chain of evidence you need but no more... it's the minimal set needed. Most other platforms indiscriminately spray data all over the place... a total privacy disaster!

In addition, we include techniques such as key randomisation so you don't learn anything about who the previous participants were.

And, even better, we've recently announced a breakthrough that takes Corda's privacy story to a whole new level: support for Intel's SGX technology. Mike wrote about it in Corda and SGX: a privacy update article.

So bottom line: if you need a platform that allows mutually distrusting parties to "trust but verify" then DLT is for you. And if you care about privacy then Corda is the best platform by far... and it's only going to get better :)