Private posts can only be retrieved by a properly authenticated user via the REST API so, I’d argue, things are safe when using https.
That’s what concerns me. No additional security other than a username/password can be used with the REST API to retrieve private posts, and I had a blog hacked once using a security error in WordPress. There should be a stronger authentication (maybe two factor) for the REST API too. Sure, I could disable it altogether, but that’s also annoying.
I’m just not comfortable storing private stuff on WordPress I think.
New Microblog — $5/month
We'll create and host a microblog for you at username.micro.blog or your own domain name. Includes cross-posting, pages, themes, and publishing from the web, iOS, and Mac.
New Blog + Audio + Video — $10/month
All the features of a hosted microblog plus podcast and video hosting. Upload MP3s via the web or use the companion iPhone app Wavelength to record and edit your own microcast. We'll create a podcast feed for your site.
Invite someone to Micro.blog or pay for their first year of blog hosting.