Usually, when you engage the private mode of your browser, you expect nothing to be saved. Unless, it turns out, you’re using Apple’s Safari browser on a Mac.
To make matters worse, as AppleInsider points out, this isn’t even a particularly new flaw, but one that’s propagated through the Mac version of Safari for years now.
To be specific, the flaw relates to the way that Safari caches favicons, those tiny pictures that pop up in browser tabs to aid your identification of each tab as it’s opened. In Private mode, Safari saves the favicon and its corresponding web address at ~/Library/Safari/WebpageIcons.db. To pour a little salt into the wound, they’re not encrypted in any way at all, which means that your supposedly “private” web browsing is only a few mouse clicks away for anyone with access to your home folder.
You can clear the data within the WebpageIcons.db file by using the “Clear History and Website Data” option within Safari, but that will only clear history to date. The problem will persist, and appears to still exist even in the early builds of the next version of Safari itself.
Naturally, whatever you use private browsing for remains your own business. We won’t judge.