You can read up on the conversation on the GitHub issue here.
TL;DR: the current system on the (unreleased) 1.0 codebase is that your Lemmy instance will replace all Lemmy URLs in posts/comments with the equivalent URLs on your own instance. In the issue I linked, some concerns are raised about this system and various other options are discussed. It’s possible that the way it works will change before Lemmy 1.0 is released.
The Lemmy UI doesn’t allow you to see others’ private messages, no, but you shouldn’t consider them to be private. It’s possible for instance admins to read them, and in the past there’s been exploits allowing anyone to read them. If you need more secure messaging, use Matrix instead.