The admins of instances where you have followers can read your followers-only posts. They can read your DMs to people on their instances. Not via the web UI, but they have database access.
This is not a bug, this is the trust model that Mastodon uses: you have to trust admins of instances you interact privately with to not read your posts.
(The bug going around is a bug because it doesn't involve a malicious admin, and it leaks data to a non-admin.)
Mastodon does encrypt your posts between clients (browser/app) and Mastodon servers. It also encrypts your posts between your Mastodon server and other Mastodon servers. But your post is decrypted and re-encrypted for each hop.
This provides protection against people other than the admins of the servers reading these messages (your ISP, other people on your WiFi network, the CIA, etc.), but not the admins.
For that, Mastodon would need to implement end-to-end encryption.
With end-to-end encryption, your client would encrypt your post so that only the intended recipients can decrypt it before sending it to your Mastodon server. It remains encrypted until it reaches the client of your intended recipient, who then decrypts it and reads it.
This adds a lot of constraints to a system, and is not easy to implement. I'm not going to pretend to be an expert on it, so here ends the thread, lol
Hometown is adapted from Mastodon, a decentralized social network with no ads, no corporate surveillance, and ethical design.