Hi @edgarogh and welcome to the HedgeDoc community!
It should be safe to delete the spam notes directly via SQL as long as they are not currently being edited.
Actually, we did exactly the same when we cleaned the old demo instance.
The relevant table is the “Notes” table. The data from the “Revisions” and “Author” table is automatically deleted per cascade. Except the uploads (which are unfortunately not tracked in the db), there should be nothing left in the database.