If I recall, the PM accessibility feature is only available to admins. Mods cannot open other users’ messages. So the simple answer is you only give admin access to those who specifically service and manage the Discourse instance itself. From a technical standpoint, those managing your instance could get access to the PMs from the database itself without generating log entries. As an admin of the site and the server it’s on, the only way to ultimately prevent admins from gaining that level of access is to encrypt the contents with a key they don’t have.
For the level of security you’re looking for, you basically need this:
I haven’t used it (yet), but I believe it generates and stores the keys client-side in a way where they wouldn’t be accessible via the impersonation feature. The key is still stored locally and impersonating shouldn’t provide access to it (as far as I’m aware). This is really the only way to protect the data in the database itself.