If you're truly concerned with security, that is, you want to prevent malicious users of your API from doing things that could be harmful to other users or to you, then making functions private will do very little to help you achieve your goals of protection. If a malicious person wants to call a private function, they only need to discover its existence, find its location in the executable, determine the proper calling convention and parameters, and then they can freely call it with whatever parameter values they want. While the above steps aren't trivial, especially for your average script kiddie, for a well practiced malicious agent it's not that hard.
If you're using protected/private to try to 'secure' an API, it'd be even more trivial for a user just to add the following lines before including your headers:
#define protected public
#define private public
And they will have access to all the innards of your classes as if they had the friend designation.
It's probably best to think of protected and private as mechanisms to encourage and simplify correct use of your API rather than to prevent misuse.