I'm going to use Tildes as a hypothetical example since I don't know how it is set up here.
I want to send a private message to a user here. I'm fairly certain that only my self, the recipient user, and @Deimos would be able to see the private message. My self and the recipient could see the private message through the Tildes GUI. @Deimos could see the private message at the database on the server.
If someone was savvy enough then they could 'listen' to a port and snag the private message in-transit from the client en route to the server. Therefore, they may see something like a userID number, the subject, followed by the message.
However, if Tildes were set up with in-transit encryption (using Transport Layer Security/Certificates) then anyone listening in on a port would be thwarted.
I've been reading about this lately and just wanted to make sure that I'm understanding the fundamentals of this correctly. Am I?