Chainstack generates and exposes a public/private key pair of each MultiChain node.
You can use the recipient's public key to encrypt their payload off-chain and store the encrypted message in a stream they are subscribed to. The recipient can decrypt the message with their private key. More on this method.
Alternatively, you can encrypt the message off-chain using an encryption scheme such as AES where a password is required to decrypt the message. The password is then encrypted with the recipient's public key using the RSA encryption scheme. The AES encrypted message can be stored on one stream that the recipient has access to, and the RSA encrypted password on another stream. The recipient reads the RSA encrypted password and decodes it with their public key. The recipient then reads the AES encrypted message and decrypts it with the AES password. More on stream confidentiality in MultiChain.