That's pretty much the plan.
I wanted to implement the second item without an RFC, it's on my work queue for months already (the queue is moving rarely these days).
I'll prioritize this then and write an RFC, type privacy needs documentation anyway.
This can't be done without undesirable consequences (either completely out-of-place hacks or breaking globs), privacy is pretty ingrained into the import resolution algorithm.
As I mentioned previously "private and cannot be reexported" is actually a "this pub use doesn't reexport anything" error in disguise.