Yeah, I'm not clear on that either. I know you can set up servers with different IPs on DO to talk with each other and from there "privacy" is a matter of configuration. Seems like UFW would be a tool to use for that.
But I am not a "network specialist" and I've never even looked at AWS so there's bound to be lot I don't know in this arena.
In my experience non-cloud networks run by professionals rarely use compute-side firewalls in general, and VPC is a powerful analogue for this. AWS VPC and security groups expose the entirety of your network configuration in a single location with easy ways to visualize it and manipulate it. They are also a lot easier for someone who is not a network specialist to correctly work with; "only allow network access over port X from machines tagged with security group A" is trivial (using an additional layer atop VPC's lower-level subnet/route table/gateway primitives).
I don't remember the last time I configured a compute-side firewall, whether in a cloud environment, a physical network environment, or in my home (my router does VLANs and allows rules between them).
But I am not a "network specialist" and I've never even looked at AWS so there's bound to be lot I don't know in this arena.