The rules are:
- you cannot protect a machine from its administrator
- you cannot protect a machine from someone that has physical access to it
Depending of the kind of cloud service (PaaS or IaaS), the cloud admins may be administrators of the client VM. If they are, no more questions: they can read everything from the client machine. But even it they are not, they can always take a snapshot of the running machine and put their hands on it. As on a cloud, the VM is supposed to be able to restart unattendedly, any secret must be present in invertible form in the machine itself, so if the attacker is the hosting service, you can only use obfuscation technics, but no strong encryption.
TL/DR: The answers for question 1 are no data is not private and yes the cloud can read it. For question 2 the answer is still no you cannot securely hide anything on a cloud machine.
Not necessarily relevant here, but added for completeness:
Above assumes that the data has to be used in the VM. But there is a use case where data in the cloud can be seen as securely encrypted: when the VM contains encrypted data and not the key. That means that the data has to be encrypted on a remote system and is sent in encrypted form. It can later be retrieved (still encrypted) from the same or another system knowing a decryption key. Examples are webapps using client side encryption, or even more simply, raw storage of an encrypted file or container.