I had some thoughts on "private" communications in the federated space. This is going to focus on the IndieWeb but I think others can benefit from this as well.
Lois has an event that she'd like to share. Let's give it a URI of https://lois.com/event. Now with this event, she doesn't want it to appear on her site's main feed so she sets the visibility of the post to be "unlisted". This removes it from feeds but if someone knew the exact URI; they'd be able to visit it. She wants this event to only be visible to a select group of friends. The list is controlled by her.
That list of people could be considered a _group_ in this case. Though disposable, it'll serve as the authoritative list of people she'd want to invite to this event. Now, whenever someone (Clark) visits that URI; her site will ask them to prove their identity and to confirm that they are a person on this list. That can be done with IndieAuth or some other forms of authorization (though IndieAuth would give us what we expect).
Now that we confirmed their identity, we can go ahead and show them the content of said event. They've been informed that they should bring some wine and juice (for the non-alcoholic crowd). Nice! In the case of replying to such a post; the responder (Clarke) would have to take caution to not make the visibility of their post "public" since the parent post itself isn't public. It'd also look invalid in other people's social readers since they can't see the parent post without authentication.