The serialization engine handles both the public and private state of the objects passed to it. When serializing an object to a stream, one must remember that the stream now also containes the public and private data of the object. If the private data is sensative, the stream should be treated with particular care (for instance, it should not be transmitted over the wire, or persisted to disk without some form of encryption).