I somehow managed to mostly dodge the whole pleroma fork drama.

I can only say this:

Yes, the post visibility setting is pure bullshit. Yes there's chance of rogue server leaking everything. However: same applies to email (hello, gmail) servers and XMPP and most likely matrix. Yes those are built around handling private messages and not public statuses, it only changes how many mistakes can be made in relevant part of the code.

Now, making a fork, instance that leaks private information to "prove a point" is same as trying to prove a point that guns are bad by shooting up a school, or that postal service cannot be trusted by getting a mailman job and reading all the mail out loud in public.

Here's a little story about hacker finding out a salt shaker vulnerability in a restaurant https://pastebin.com/pTQwE2ey