Kind of off topic… but you might be interested in Discourse Encrypt (for Private Messages) for truly ‘private’ messages. Leaked/stolen backups of encrypted PMs would not be readable by an attacker.
(although, as you said, there is still an assumption that the admins are trusted)