ActivityPub messages are, as far as I managed to figure out, “just” signed, not encrypted. Meaning: Even apparently “private” messages exchanged between individuals aren't really “private” but exchanged between services merely with the assumption of them being “private”. This isn't a secret but something at least from my perspective not stressed enough, specifically when talking about using the software and environment as an at-risk or vulnerable group.
All along the same line, I have had a lot of different accounts on a lot of different federated platforms. More than once, I cleaned up and deleted posts and accounts. For quite a bunch of these acounts, still, though, I see both my profile and a random set of posts on some instances. This, too, is an obvious thing in a decentralized environment but it also might be interesting to keep in mind: Deleting your data is something that just “hints” other systems to please actually remove this data rather than ensuring it is really gone. (There might be interesting legal side-effects to that but that's a topic of its own I guess.)
The inability to see old posts of new contacts, especially if they're on an instance that hasn't been known to ones own instance before, is a re-occurring weirdness. There is a straightforward technical explanation for that, but from a client point of view, this is weird and most likely to work pretty much against every kind of expected behaviour. This seems different for other protocols on the Fediverse.
Particularly weird situations arise if following people with posts set to be seen by followers only. In this case, too, nature of federation totally seems to clash with the expectation people coming from virtually every other social network will have: No matter whether Tumblr, Instagram, Facebook - “private” profile means you'll see posts once you established some sort of contact relationship with the account owner. This doesn't seem to work at all here.
Especially if coming from Facebook, visibility settings of posts behave not as expected. No matter whether wanting to temporarily hide all posts ever made from any visitor of ones profile regardless of contact relationship or wanting to add or remove access to individual posts for certain users retroactively - the current nature of federation doesn't seem to handle this at all in any platforms out there (tested on Sharkey, Friendica, Mastodon, Hubzilla).