Even if the forum didn't have the ability to "become this user" and read messages/change data, they could always update information and read it through the database.
I think a great security measure would be to encrypt pm's usng one of the several available php methods, but you must keep in mind that sometimes validating info in pm's is a nessessity (immagine if you will someone harassing another user, if things where encrypted you'd be sol).
I think encryption of PM's though would be a first in bulletin board standards, i think it could be kinda cool lol