root access on the host server effectively gives full access to all content in Discourse. Including soft-deleted content (it still lives on in the database) not permanently deleted.
(even while it was supported, our discourse-encrypt plugin would only give personal messages the benefit of encryption)
The best way to prevent this access from the host would be to not be able to give that access (for example if your site were hosted by us or another similar entity).
In that case, someone with admin access on the Discourse site would still be able to download a full database backup and see all data, but not be able to access the backend systems.