In the code inside the function imagecache_transfer the header is set as below

$headers[] = 'Cache-Control: max-age=1209600, private, must-revalidate';

Should this private header be set only if its a private file (i.e. pass in the flag to see if this is private?

I would propose having the flag set to this function and only include the 'private, must-revalidate' if the file being served is from the private location.