Many aggregators don't handle password-protected feeds well: some don't support it at all, and some do support it (either fully or with the user ID and password in the URL) but aren't very secure. What if you used hard to guess feed URLs? For example:
http://myhost/feeds/[big cryptographically unique ID]
It works with any reader. If it leaks out, others won't be able to access your account (they don't have your real password).
On the down side, if you subscribed to this feed in something like Bloglines, wouldn't Bloglines index it so other users could search it? Of course Bloglines supports embedding the user ID and password in the URL. Does Bloglines index these feeds?
I started replying in a comment, but it got too long and interesting:
There was an intersting discussion on using this technique on the P2P Hackers & REST Discuss mailing lists (although it was more for conventional webpages rather than just feeds).
I think it has some promise and I've been thinking of using it in one of my projects, but there are some things to be aware of:
1) Referrers. If your feed includes resources from or links to other sites you need to make sure links go though a redirector to strip the referrer headers.
2) Use https (if possible). This will partially solve the referrer problem (although not when readin via an aggreagor), and could be used as a sign for the aggregaror not to index it.
I don't think Bloglines does index password protected feeds. That creates an interesting possibility: create a feed that requires HTTP basic authentication, but accepts any combination of usernames and passwords. That will signal to aggregators not to index that feed, but doesn't have the security risks associated with sharing a real username/password.