Hi,
I performed a little experiment and was quite surprised to find that an admin user could view the private discussion between two non-privileged users.
I know if I really wanted, as admin of the VPS, I could see these messages in the databases (but I would never abuse that privilege without user consent).
I want discourse admins (even the account used to install discourse) not to be able to view private messages.
Are there options for that? Could that not be set as the default?
So it turns out that a few years ago we had many long discussions about this. I was on your side, FWIW. 
While the scenario you describe is still possible (and I don’t think there’s an audit trail) since then it’s now possible to disable all messages if the admin would like, so there’s somewhat of a workaround. Also it’s worth noting that (IIRC) the name for this feature in the UI changed from private messages to personal messages to (just) messages. 
So its either no messages, or messages as they currently are?
This feature would cause massive controversy in the community I live in!
This is my current understanding of the situation, yes. If you want to do user-to-user messaging and you think folks are concerned about the privacy implications, then you should probably look at complementing Discourse with something else.
For that scenario, I’d recommend a messaging solution with end-to-end encryption, like maybe Riot/Matrix for example. Without that, you’re basically in the same technical space as Discourse where admins can always get access to the content of those user-to-user messages.
What you really want is Latest on Encrypted Personal Messages. Looks like it’s not quite ready for primetime, but having PMs that cannot be read (even with access to the database) except by the intended users is on the road map.
Thanks for sharing that! I missed the update and really good to hear it’s on the roadmap. (It’ll help solve some problems in my TODO list.)
And it’s a real solution, not a “unless the admin wants to read the PM any of several ways that cannot be detected” kind of way.
Will definitely look into implementing one of the real foolproof methods (and am going to bookmark this thread for the future because it is something I am pretty keen on learning more about).
However, what would it take to simply hide the message icon from admins?
I can’t have admins knowing other user’s business so easily, but if the option is simply not available, except by a hack, that should suffice for the time being. I will add caveats and warning messages (and even link to this discussion) and then they can make their own mind on how they would like to use messaging.
If you want to hide the message icon, you could probably do it with a theme component.
If you wanted to make it a little harder to bypass, you could have a plugin do it.
I believe there is if you turn on the site setting Log personal message views by Admin for other users/groups
Well, sort of. Admins can still inject JS in the page that can do anything it likes with what’s displayed in the browser, including transmitting it elsewhere, etc.