The only way to ensure privacy is something like PGP. Encrypt before you send. Heck you could even encrypt before you put the contents into a message body.
With self hosted, the messages themselves aren’t encrypted at rest and they are clear text between hops even if those hops support TLS in transit.
Ultimately the right answer for you will hinge on what your definition and level of privacy is.
Ran WireGuard on a Pi1 and it was fine for two users. Albeit WireGuard was the ONLY thing running aside from a Gitlab Runner.
A 4b should be more than enough for many use cases except things that cause torrents of packets - but even then YMMV. It really depends on the workload.
One bit of advice: if you can, use a storage device other than the micro-sd slot for the 4B. Again YMMV.