To both of your questions: yes

Your privacy for paying ecash-to-LN is the same as with ecash-to-ecash except that the mint can see the LN destination (Lightning needs blinded paths for this). Much better privacy than any other custodial LN.

You can lock tokens with P2PK. Wallet support is still limited but it allows what you described. Token can't be stolen if the hacker doesn't know your private keys. 

Cashu txs are not reservible. Once ecash is stolen, it's stolen. This property also means that you enjoy strong censorship resistance as user though, which is why it's preferable imo. 

 Thanks 🙏 it would be cool to see P2PK supported in wallets, or even just an option to lock the token with an arbitrary PIN or passcode. Without it, sending ecash tokens feels a bit like sending cash in the mail. 

And that helps put the privacy into better context. Now hopefully we will see more trustworthy mint operators, or maybe even some way to gauge their trustworthiness. I get very nervous when I see that I've accepted ecash from a mint running on the LNbits demo site. I am quick to swap those into my lightning wallet.