1. The private key is what you login with. The way it works is you sign a "session identifier" with your private key. The server verifies this signature with the public key it has on file. ie. the public key blob you put in the .ssh/authorized_keys file.
This plugin requires the private key because it's acting as a client and because it needs to be able to login.
2. A user that can write to the WordPress files / directory? Could be the user that owns the files or a user in the same group as the owner, assuming the permissions are set appropriately.
We have not install WordPress from the Debian package repository.
What does that have to do with anything?