Question about private trees

[balupton]

From the README:

When it receives a transaction for a private tree, it only gossips that transaction to the tree's members (as opposed to its behavior with public trees, which is to gossip transactions to any peer who subscribes to that tree).

How is that guaranteed? Couldn't a custom relay server implementation just ignore that? I imagine if it does make its way to peers who do not have access, they wouldn't be able to decrypt the data, but what prevents them from getting access to the encrypted data? Is it that:

1. peers only replicate with trusted peers and relay servers?
2. peers only tell relay servers that they have some encrypted data, and they do not send the encrypted data to the relay server, the data only stays on trusted peers machines - so if an unauthorised peer does become aware that peer X has encrypted data Y, and requests it from peer X, peer X just says bugger off

if it is the latter, then how does multi-peer redundancy work? Does a peer have to invite the redundancy replicator as a trusted peer to the shard? And if so, wouldn't that mean that anyone providing redundancy can also read? Perhaps there should be these permission levels:

1. no replication, bugger off
2. replication of encrypted data permissible to your machine and your machine only, of which you may or may not have a decrypt key
3. replication of encrypted data permissible to any machine that wishes to replicate it, of which you may or may not have a decrypt key