If a user has the moodle/user:update capability but is denied or lacks the  moodle/user:viewalldetails they can still view/edit private profile fields.

In some places - e.g. \profile_field_base::is_visible a user must have the moodle/user:viewalldetails capability to view other user's fields that are marked as PROFILE_VISIBLE_PRIVATE

I would say that this is the correct behaviour.

There are three places where the viewalldetails capability is ignored and the moodle/user:update capability is checked instead. This means that if a user is denied the moodle/user:viewalldetails capability they can still edit (and so view) the values of private custom fields.
The places this is an issue are:
user/profile/lib.php function profile_definition
The line:
if ($display or $update) {
should be changed to:
if ($display && $update) {

\profile_field_base::edit_field
The line:
if ($this->field->visible != PROFILE_VISIBLE_NONE
or has_capability('moodle/user:update', context_system::instance())) {
should be changed to check the viewalldetails capability

\profile_field_base::edit_after_data
The line:
if ($this->field->visible != PROFILE_VISIBLE_NONE
or has_capability('moodle/user:update', context_system::instance())) {
should be changed to check the viewalldetails capability