Does this mean that previously to this change, without a software firewall running you'd be vulnerable to attacks on the private network from other customers? (I've never used DO).
No. The private network was originally shared across all accounts, but later on they changed it to be isolated per account. It's been that way for a couple of years.
The introduction of VPC just means you can isolate within the same account.
Yes, on both Digital Ocean and its 'brother from another mother' Linode. I have a client with a few Linode VPSs and their biggest attacks by far come from the 'private' network.
They also will automatically enable a private network interface for you if you use their Floating IP feature. This caught me by surprise when I found out the hard way :)
The introduction of VPC just means you can isolate within the same account.