Yes, we should add on mail somewhere that PMs shouldn't be considered as private as email. I did say something to that effect 2034 days ago:
Importantly, only those users included in a message can read the mail and comments. However, Hubski mail is stored as plain-text on our server and privacy is permission-based only. For that reason, please don't post very sensitive or personal information in Hubski mail.
But, we could make it clear.