It’s all in the ActivityPub protocol that I’ll link below. If you read it, it’s strikingly clear that there is no actual guarantee that your permissions will be honored. In fact, the standard uses the term “SHOULD” quite a lot when leaving servers free to ignore your privacy notation.
Are you familiar with the FRS radios? They had a feature called privacy codes, where a group of people would set the same code to communicate. BUT, really all of the comms were all on the same channel, but the codes simply filtered out what one wanted to hear.
So they provided no actual privacy, just the illusion of it.
Same thing here, unfortunately. The ActivityPub protocol is largely a broadcast protocol, sending content into the cloud with only suggestions as to who should see it.
You can believe that every link in the chain will behave and respect your wishes, but a scraper is free to ignore them and do what they want even if your post is marked private.