Are not a 100% private Admin can view, Moderators can view PM with a site setting change.
Discourse has a plugin that enables peer 2 peer encryption. - If going with a paid hosting look to see if plugin is included. Self-Hosted cinsider installing:
The cookie consent Banner might not be enough for GDPR. You would need to check with local laws. @Jagster might have sine info on this and/or suggestions for theme-component & plugin to consider.