If it's online, it's public.
As a popular (among privacy-minded folks) dictum notes: if you're not paying for it, you're the product.
There are privacy settings available, sure. Problem is, Facebook's value proposition is in being a huge privacy-sucking machine.
There are plenty of other ways for data to leak over the 'Net:
- Through apps. These have access to much of your personal data. Apparently the situation's improved, but older apps may still have "grandfathered" access.
- Through advertising engines. Ads and ad networks are FB's bread and butter.
- Through your friends, tagging, and other means. If you can't be found directly, your social graph (a fancy term for "people you know") will probably out you.
- Through back-end snooping.
True story: I work in tech, was investigating a site outage (large, entertainment-industry site). We'd identified one culprit pretty readily, but I suspected other shennanigans. Two of the biggest traffic streams were a distributed query (from a Canadian hosting provider's netspace, a couple hundred separate IP addresses) hitting an email validation query nobody even knew we had (likely a spammer validating stuff).
The other was a search engine for one of a number of "personal information aggregators" -- those people search / classmate finder type services. Together the traffic was more than we saw from major search engines (search-engine spiders are generally your largest traffic hits), over 10% of our daily hits.
I've also interviewed for numerous companies working with this sort of data -- there's a huge interest in it. I personally don't have a lot of interest in working in that area, though I like to have an idea of what's going on.
Among the reasons the media are having such a spazgasm over FB is that it's a huge marketing/advertising/demographics trove for them as well.
FB have been opening up rather than closing privacy, pretty markedly, over the past few years: