Echo what @skilesare said.
Side channel attacks are currently possible. If someone (or even an node operator) wants to prove a point (that there is no data privacy at the moment), there is this challenge Capture the Token: Hack this canister for 1 ICP.