In the past, I had an experience with a private tree not truly being private also. I believe they have improved with private trees actually being private.

I am not sure about the process because you would have to mark your tree as private right away after creating it and I don't know if there would be a time period where the items would be in the default of public. Obviously, the quicker you check the private box the better. Remember you also have to decide whether to allow the tree to be indexed which is a second step. I have a private tree that is synced but the tree originated on ancestry not FTM. I haven't had any privacy issues with that one that I am aware of but there are some things I will never put on the internet.

I agree with you that it is the photos and stories (and things for living people) that are particularly at issue. I have recently noticed that I was able to view a living person in someone else's tree even when there was no death date and he is not that old. It was not that person's own tree but someone else who had him in their tree.