They're correct. The blockchain just records that the funds were sent to your address. To spend the funds you have to show the public key which hashes to that address, in another transaction signed by the private key.
If the sender wanted to send you a private message, they would need your public key, but that's not what transactions do.
Sending to an address means sending it to a "hash" of a public key (or a more complex script) on all modern formats. Then such script and data is revealed on spend.
Are you sure, what about when someone sends to it?