If an event is marked as being private, it shouldn't be stored in the iCalendar server, only in the local client's database (?). Alternatively, it could be stored in the server but flagged as private. This might be a user-configurable option, eg: "Store private events locally only" vs "Store private events on server".
The situation of "A invites C" would be considerably simplified (particularly once they start negotiating free/busy times) if there were a trust relationship between foo.com and bar.com, so that the iCalendar servers could talk directly to each other.
The servers would need to identify each other securely, and there would need to be some kind of ACL system in place to configure which organisations are allowed to see or manipulate parts of an organisation's calendar. For instance, foo.com might want to allow or disallow bar.com from booking its meeting rooms.