Each online server or service we use requires us to agree to its Terms of Service, or TOS. It's easy for people to forget (if they ever read it at all) those terms over time and frequent use. The term PM, or private message, does seem to promote an expectation of privacy, though we have learned, and agreed, to eliminate this expectation.
And because I'm too lazy to go back and cut and paste:
US mail, as well as other mail and package delivery, belongs to the addressee, even if the addressee has used a workplace address for delivery. Employees have legal recourse if adverse action is taken by an employer over contents of mail. That being said, you'd be an idiot to order pornographic videos and have them delivered to you at your place of employment.
Another interesting note: Personal emails sent to or from government employees do NOT constitute public records, even if they are stored on government owned mail servers, and are excluded from production for any FOIA or sunshine law request. Only business-related emails constitute public records. Obviously, the personal emails can still be subpoenaed, and limiting one's personal use is a good idea.
Private and secure are two different things. ANY transmission you make that is not secure (or encrypted) carries the possibility that it can be intercepted and read somewhere along the way. Not that anyone IS, just that it can. Private just means you're sending it to one or a few select individuals, rather than positing it publically. As above, it doesn't eliminate the possibility that it can be intercepted by someone to whom you've already agreed to allow access via terms of service.
Caveat Poster.