Cache-Control: private HTTP headers and body. Should this be reported as security concern?

Question

BACKGROUND:

I\'m reading the OWASP testing guide for web applications

Session ID should never be sent over unencrypted transport and