That's a really weird one... the way it defaults to public I can't really think of this as a security feature, and I don't think it actually is really intended to be one. But all the wording it uses including "privacy" are really invoking thoughts of actually sensitive data, and if we're at risk of logging those -- the default has to be private by default, but that's not what we're proposing (and it would be hard to adopt easily).
I'm trying to understand who this proposal is really for, because it's a bit too weak to really help auditing a codebase for accidental PII information leaks -- you'd want a protocol that enforces that only trusted types "ok to log" even compile when one tries to log them -- including the description redaction etc...
It kind of feels this would be entirely ignored by the vast majority of swift-log users and I'm not entirely clear how it aligns the API with OSLog as well because of the flipped default 
So, what are we really solving here? From there, let's work back and maybe name this apropriately, because AFAICS this isn't a privacy/security feature but it kinda looks like it is which is problematic IMHO?