Publishing the private key only allows for spoofing, not decrypting, unless you fail to use ephemeral Diffie-Hellman, which seems to be the default for most clients nowadays.
Let's hope no IoT company is stupid enough to send customer data over this. Stuff like LoRa is very popular these days, but they are low bandwidth. Would not be surprising if a company decides that MVNO providers are too expensive and rolls their own communications infrastructure.
With few exceptions, all commercial use of amateur bands is prohibited, and licensing is by operator rather than by device. So for an IoT provider to run into this issue they'd have to have much larger problems on their hands as well.