If a user somehow gets a link to a private collection's subscribers page (https://musicbrainz.org/collection/MBID/subscribers) and is logged in, they can see the collection name, user, entity type and number of entities in the collection (but not the contents of the collection nor any free text fields the user entered).

Minor because there's no way I can see that a user who can't otherwise see the collection would get the collection MBID, but still.