The federation API isn’t using E2E either. It makes no difference if you use your mobile client to contact the mobile API or if you’re hosting your own instance to use the federation API in safety regards. You should always be aware that every message / post / image you publish (even in a closed group) in the internet could be traced back to you and with enough afford be available to anybody with the right skills.
Only end to end encryption can help you there - this is the way.
There is also the question of trust: The best solution should be an infrastructure that is due to E2E not able to read the messages it processes. The problem with this setup is, that you want to communicate publicly and you never know, who is part of your communication. I would advice to use signal or matrix if you need E2E. If not, use either Tor to proxy lemmy and try to stay anonymous or be aware, that your messages are not (which is always the best approach in my opinion).