Official Mastodon privacy reference, aka: when you private/direct post, don't act as if you were invisible, 'cause you're not, so remember to only join instances whose admins look trustworthy to you and mention users from other instances very wisely; if you need to communicate something strictly confidential, it's probably advisable to a better tool, such as XMPP + OMEMO

https://github.com/tootsuite/documentation/blob/master/Using-Mastodon/User-guide.md#toot-privacy