Private posts can only be retrieved by a properly authenticated user via the REST API so, I’d argue, things are safe when using https.
That’s what concerns me. No additional security other than a username/password can be used with the REST API to retrieve private posts, and I had a blog hacked once using a security error in WordPress. There should be a stronger authentication (maybe two factor) for the REST API too. Sure, I could disable it altogether, but that’s also annoying.
I’m just not comfortable storing private stuff on WordPress I think.