tested it again and privacy control does not filter https content.
However, the site will also load not encrypted information and this is what ZA is filtering.
To be more precise the "bs.serving-sys.com" site in https://www.java.com is not loaded encrypted.
This is the only site that is filtered by ZA that includes private headers information, cookies and java scripts.
So yes, ZA is filtering mobile code, cookies and private headers but only for the non-SSL part of the www.java.com site.
Hope this helps