Would it be good practice to make as many functions as possible private or internal?
With a lot of the recent hacks it seems to be the hackers are getting in through calling functions in unexpected, roundabout ways that isn't always clear to the developer when they publish the code. It seems like if a function can be private or internal it would help.
Whenever possible, you should always limit your scope when programming. If one part of your code doesn't need access to another part of your code, it shouldn't be given access. This is popularly referred to as the principle of least privilege.
So you would be correct in defaulting your functions to use private/internal modifiers.
However, I would caution you on assuming that your contract is secure because you limit who can call what functions.
If you send funds before decrementing a balance or rely on sending messages for control flow, you're still vulnerable to attacks.
Restricting scope by default is good practice, but restricting scope alone will not prevent attacks that leverage poor order of operations or re-entrancy attacks.
Always make your program as abstract as possible. If you do not want a function to be called by outside the contract, keep it private. Use modifiers to prevent undesired inputs or function calls. Try to create permissions as owner and check using msg.sender for a function.
The best security is when there is no access points inside the contract.
