i guess caldav/carddav/.. suffer from the same issue and i was told this is a weakness, deigned into the rfc. the implementaion is correct with respect to this rfc. as this might be a show stopper at our site (ok, i could teach users. but this is not really an option because users tend to forget - the higher in the hierarchie, the ealier and the higher the risk).
if there is the option to declare an object private/confidential, the meaning of such flags should be respected and this should be done by the server.
may i suggest: whenever an object is requested, check the object for private/confidential flags and modify the object (ical,ics) in the same way the web client does it after the sharing permissions have been merged but before it will be sent to the requester.
yes i know, other systems do not respect these flags as well, but why not have a better system?
thanks for your attention