Does the action of private APIs of iOS need user's manual authentication?
When an enterprise app uses private APIs, the user is not informed nor asked whether to allow that usage.
However, it is not so that the use of private APIs automatically mean that the app has access to "more data" or somehow circumvents existing security checks. This means that if for example the app wants to use photos from your library, it still has to ask permission to use that library, just like any other app you install from the App Store.
Unfortunately it is possible for private APIs to have bugs that nefarious programmers can exploit in order to circumvent security checks. This is also true for public APIs, but it is probably slightly more likely that private APIs will have bugs of this sort.
Also note that installing an app from the App Store is not a guarantee that private APIs won't be used - far from it. The App Store review processs contains some automatized and manual checks that tries to spot the use of private APIs, but it is definitely not foolproof. It is relatively easy for a malicious developer to slip something past this review. Doing so is not without possible consequence for the developer though, as it is possible for Apple to take various steps if this is uncovered later. Ranging from having the developer create an update without the private API usage and up to banning the developer from the App Store and removing their apps from user's phones and suing for damages.
There's no private API that is specifically built for breaking through the sandbox mechanism in iOS. That wouldn't make sense. Private APIs are built by Apple in order to be used in their own apps - and are usually made public in later releases when they have been fine tuned, bugs are fixed and documentation has been created. They wouldn't intentionally create something that invalidates all their work on security.
However, it is again perfectly possibly for any API to have a bug that can be used to escape the sandbox. It is not so that any bug has this property, so it is very hard to find bugs and exploits that would go into this.
Another way to look at it is this:
Will the local 200 employee company, that requires you to install an enterprise app for employee work hours registration, be likely to create a secret exploit that will escape the iOS sandbox and invade your privacy? - Probably not.
Would a fascist dictatorship, that requires journalists to install an enterprise app for seemingly no purpose, be likely to include a secret exploit that will escape the iOS sandbox and invade their privacy? - I would worry about that.