A private module is a ModuleScript which has been uploaded to the ROBLOX website and can be used by any game, but its source can only be viewed by the user who uploaded it.
Normally a ModuleScript can only be required by the user who uploaded it, but if the ModuleScript is named "MainModule", then any game can require it.
Yes, it is possible to obtain the source of a private module. This is usually accomplished by requiring the module, getting a reference to the module's ModuleScript, parenting the ModuleScript to the DataModel, causing the game to save, and then opening the game in ROBLOX Studio to view the ModuleScript's source.
The most effective way to prevent this type of exploit is to place this line of code at the beginning of your ModuleScript:
This will erase all references to the ModuleScript, preventing the exploiter from obtaining a reference to the ModuleScript. If your ModuleScript has children, you can do this:
This will replace the ModuleScript with a blank ModuleScript, which means even if an exploiter gets a reference to the ModuleScript and manages to save it, its source will be blank.