• Yes! All content in your feed is cryptographically signed. As far as I understand blobs (images, videos, files) are not signed, but the message you use to reference them is.
• Yep, you can see when someone posts a private message but you can't see the content or who the recipients are. An attacker may be able to correlate message times if you're chatting back and forth quickly.
• You got it. Assume everything is public unless you're sure it's private. In Patchbay you can click the + next to posts and (if you're a recpient) see private: true. For example, when I look at this post I can see the content and private: true, which verifies that you (hopefully!) can't see it.
• Bingo. FDE all the things!
• The only other thing worth knowing is that (as far as I understand) we don't have perfect forward secrecy in private messages. This means (again, as far as I understand) that if your key is compromised that the attacker will be able to read all of your private messages. More discussion here: %7w2PaPH...

As always: avoid trusting your life or well-being to cryptographic systems. Scuttlebutt is infinitely better than, say, private messages over Twitter, but it isn't a silver bullet.