I think if we enabled outgoing webhooks into private groups ideally there would be an easy way for users to see what's been added.
But why? There is no way to tell if a user participating in the private channel scrapes the data on her own, and there is never going to be such a way: the user may even use a webdriver and not touch the API. What additional guarantees would infomation about webhooks provide? Ultimately a private channel means trust to all participants, and it cannot be resolved on software side. I think seeing that someone else may read this information is already an obvious indication that this someone else can relay this information somewhere else. Fast, and obvious.
The only important thing I can think about is disabling the webhook once its creator leaves the channel.