"When the system is rebooted, it does use encfs to mount the Dropbox/private-data directory as Desktop/.private-data. However, if you use fusermount to unmount that directory, the mount disappears but Dropbox/private-data is not encrypted."
That looks right to me, aside from the unusual choice of names. The Dropbox/private-data directory, as the source of the encfs mount, is where the encrypted data is stored. Files you want to encrypt should (counter-intuitively) go in the hidden mount target directory, Desktop/.private-data. If you place other files in the source directory they will not be encrypted, and may interfere with encfs.
To encourage correct use, the Dropbox directory should have been hidden, and the Desktop directory visible.