hook_file_download() is called on every private file download, and every module has the chance to block access to a file (by returning -1), grant access (by returning some headers) or not get involved (by returning nothing). If no modules return anything, the file is not served.
ckeditor_file_download() breaks this by always returning file headers if the file is present in the CKeditor upload directory, which is by default where all other files are uploaded. This means that CKeditor is granting access to all private files, unless another module expressly denies access. This seems to me to be undermining the way the private file system was designed.
Incidentally there is an easy workaround, which is to set the 'Location of files uploaded with CKEditor in the private folder:' to a subdirectory, but it's pretty difficult to narrow down why private file system isn't working as expected to this config setting.
Hope that's helpful.