I think there is some confusion on how devices authenticate with Exosite. In Murano there is way to use a proper private key, as in public key cryptography, or you can use an Exosite device authentication token. The method using the vernacular of a "private key" is TLS client certificates and the other is the the One Platform backwards compatible device authentication token method.
You are right, in the authentication token model a key will be generated in the server and then sent over the internet to the device. The device is then expected to present this key in a custom header in order to authenticate requests made of the device HTTP API. This is why for production devices we by default expect devices to connect with us through TLS. Without getting a hold of us to talk about why your hardware or solution cannot support, or has a good reason not to support TLS, we do not allow our customers to deploy devices at scale on unencrypted communications.
However if your Solution has no need to be backwards compatible with an existing connected product deployed on Exosite's software, then you should seriously consider implementing the TLS client certificate authentication model. This is Exosite's recommended authentication scheme, and if setup properly the private key will never leave the memory of the physical device. I think that this method is much more in line with the standards you were worried that we were violating.
Let me know if this answers you questions and concerns. I am perfectly happy to talk to you about how the provisioning models work and to specificly address concerns that you may have.
Happy to help,