What should a http client do if server returned Cache-Control: private, public ?
I have a feeling private should override public, but I can't find a confirmation in the RFC (other than MUST in private and MAY in public).
From a pragmatic point of view, err on the side of caution and treat it "private".
That way you cause a little extra network traffic for the lousy server, but keep your user's (potentially private) data safe.