WordPress should not display private posts in public RSS feeds, except for those privileged users you mentioned, and even they need to be viewing the feed in a browser where they’ve logged in to your site. If your WordPress does display private posts in the feed for everybody, there’s something wrong; perhaps a misbehaving plugin or theme.