There is a rumor that admins can read your direct messages. This is essentially true. In essence, if someone hosts their own instance they can always look in their own database. But the general working of the software is that admins can only read if someone reports content to them. Anyway, this is a good reminder to never use direct messages for sensitive information, on any social media system. And yes, dishonest people can also start Mastodon communities. Awareness is good for making informed choices.
Glad he called it out (although quite mildly) because this is something the general public won't be ready for in social media. I say this is mild because at the worst end of the scale a malicious/racist/violent person who hates certain types of people could setup a server just for that and let it run as a paradise while collecting data on all the people who join. Email addresses, IP, local groups/meetups and if they were really motivated could probably turn off metadata stripping, literal goldmine of data if you run an instance
I'm not too keen on this whole SPREAD OUT AND JOIN THE INSTANCE THAT'S RIGHT FOR YOU because that sounds like a great way to force people into the hands of shitty (or as mentioned malicious) admins who don't care if they shut down their instance one day without warning.
I think it's more prudent to advise people to organize with their group and start their own instance which gives them more protections. Know your admins, a big benefit of the fediverse.