The underlying issue is that you can not trust the server if you want truly secure messaging between members.
This means that the software used to encrypt and decrypt stuff should not be sent from the discourse server.
I second what was said here, you want something like keybase or signal for secure comms, you have to invest in training here. Treat the info you have on Discourse as potentially leaked, there are just too many vectors. People hosting the service, web browser caches on local computers running old exploitable operating systems and so on.
If I was pushed hard to come up with something for journalists discussing highly sensitive info that is Discourse I would
-
Host the physical server in my house or somewhere I can see it all the time
-
Use SSL clearly
-
Only have myself as admin
-
Enforce limited user agent support, demand everyone use a very specific browser and only allow that user agent on the site, this browser would not store any cached files on local disk
But… even with all of that … signal/keybase is much better on so many levels