Hmm, read this article about Mastodon security/privacy and direct messages don’t seem that secure.

Direct Messages (DMs) on Mastodon are stored in clear text on the Mastodon server. They’re not encrypted. That means that they could be read by whoever is administering your Mastodon server. Furthermore, direct messages with users on other servers will be delivered to different servers and copies may be stored there.
…
But there’s more danger potentially associated with direct messages on Mastodon.

Imagine you are having a direct message conversation with someone on Mastodon about a sensitive subject.

Maybe George and Paul are bantering via direct message on Mastodon, and one of them says “I’ll tell you who’s a twit. That bloody Ringo”

Well, because Ringo has been mentioned in the chat, he now sees a copy of the message too.