I am presuming that an app's private data, such as SharedPreferences and SQLite databases, live on the phone's internal storage rather than the SD card, even if the app itself is installed on the SD card.
I can't find a simple explicit confirmation of this anywhere. Can someone please confirm?
Yes, private data reside in internal storage. I've tested this by exploring file system on rooted device.
If app is "installed" on SD card, only APK file is stored on card in some encrypted form. All other app data are in /data/data// folder.