Well, it is possible to configure the web server being used by this private WordPress to only allow access from certain domains or IP addresses. This is not the default setting from any piece of web server software, in my experience. If the computer that runs the web server software is patched and configured securely, then it will be quite difficult to access the content of this private WordPress instance. A knowledgeable intruder with access to (un)documented back doors on either the web server or WordPress will still find a way in.
Private post on a 3rd party WordPress site, which might or might not have sufficient patches/security in place for that website or the server(s) that site runs on, could be much more quickly compromised than you would expect and therefore should not be considered private under practically any circumstance.
Nowadays I do have the impression that most breaches are made by persons who want to make money of the information they acquire. So if those posts are made on a obscure website with hardly any traffic, than it is likely the case that the financial gain is too low for the amount of effort those persons would have to spent for acquiring your private posts.
The above is valid for anything you couple with the internet, not only WordPress. Applying also fail2ban and 2 factor authentication systems to a web site will improve the chances that your posts stay private considerably. A WordPress website often uses a MySQL database for storing content. If it is an option, storing your private posts sufficiently encrypted (AES256 and/or RSA2048) into such a database will again improve the chance that your posts remain private, even if a breach does occur.
Still, the best thing to do keeping things private is to not post those things on the internet at all.
