They do not honour the privacy of PMs.
Once I discovered this, I seriously locked down my Facebook use.
I had a minor foot injury that a gym instructor suggested a possible diagnosis for.
I mentioned the name once in a PM on facebook. From that point almost all my adverts on FB were for the condition.
I removed all FB apps as a result. I removed FB from the noscript whitelist. I also installed the self destructing cookies addon.
I now almost exclusively use mbasic.facebook.com (much nicer on a desktop than the regular site, to be honest)
I no longer have in depth conversations using the chat facility (I generally used XMPP, but that seems to have packed up anyway)