There's a TODO in the code for navigationlib.php immediately before the outputting of the "my private files" link which confirms that a capability check is required.

In a site where the private files repository is disabled, the link is still displayed.

I think we need a check that the repository is enabled, and a capability check before the link is output in the nav block.