ActivityPub, the protocol that powers the fediverse (including Mastodon – same caveats as the first two times, will be used interchangeably, deal with it) is not private. It is not even semi-private. It is a completely public medium and absolutely nothing posted on it, including direct messages, can be seen as even remotely secure. Worse, anything you post on Mastodon is, once sent, for all intents and purposes completely irrevocable. To function, the network relies upon the good faith participation of thousands of independently owned and operated servers, but a bad actor simply has to behave not in good faith and there is absolutely no mechanism to stop them or to get around this. Worse, whatever legal protections are in place around personal data are either non-applicable or would be stunningly hard to enforce.
Auch auf einer Platform die alles richtig macht und sich perfekt an die DSGVO hält können Personen screenshots machen, den Inhalt der Seite kopieren ohne dass die Betreiber bei Löschanträgen Dritten hinterherlaufen müssen um jede Spur eines Posts zu löschen. Imho können sich einzelne Instanzen an die DSGVO halten und sind nicht verantwortlich für andere die gelöschte Inhalte trotzdem anzeigen.