ActivityPub, the protocol that powers the fediverse (including Mastodon – same caveats as the first two times, will be used interchangeably, deal with it) is not private. It is not even semi-private. It is a completely public medium and absolutely nothing posted on it, including direct messages, can be seen as even remotely secure. Worse, anything you post on Mastodon is, once sent, for all intents and purposes completely irrevocable. To function, the network relies upon the good faith participation of thousands of independently owned and operated servers, but a bad actor simply has to behave not in good faith and there is absolutely no mechanism to stop them or to get around this. Worse, whatever legal protections are in place around personal data are either non-applicable or would be stunningly hard to enforce.
Direct messages, private messages, whatever you want to call them… have ALWAYS been available to your social media hosts. Reddit, Twitter, Facebook, Instagram, Discord… they can all read your private communications if they choose to do so. While I’d support E2EE for private messages for kBin etc, pretending that this is some sort of flaw inherent to the fediverse is inaccurate. It’s fair to want the fediverse to be better. It is not fair to hold it to a standard no one has ever applied to other social media.