The Financial Times has identified a “privacy flaw” within Google+: re-sharing. A privately shared post or picture can be subsequently re-published or shared by the recipient to any of his or her Circles or the entire world. This would potentially thwart the privacy “settings” or objectives of the original creator of the post.
Google is aware of the problem and says that it will address it. (See below for “fix.”)
For example, if I have a private Circle of co-workers and somebody makes a defamatory statement about “the boss” and then it’s made “public” by re-sharing it could cause problems — you get the picture.
This is part of the reason why Google has sought to get feedback on the product before opening it up publicly to everyone. If it had done so I’d probably be writing about a class-action lawsuit and FTC complaint right now. But Google is purposely collecting this type of feedback to “fix” such problems before Google+ is publicly made available.
In general Google has done a great job with privacy in the product. Before each comment or post goes out users must choose which groups/Circles to share the content with. Google makes it an explicit decision every time. I think this is one of the great strengths of the product.
The privacy “settings” or controls are there on the page with each update and not in the background.
Postscript: You can disable resharing on private messages or non-public messages. In the upper right of any message there’s an arrow that opens a pull-down menu. One of the choices is “disable reshare,” which prevents others to whom you’ve sent the message from making it public or otherwise sharing it with their Circles.