You should not assume your communications are private if there is no end-to-end encryption. Also, the employers are often required to do this because of regulations. (I think those are silly regulations given that end-to-end encryption is so easily available nowadays, but the companies don't really have a choice here.)
You shouldn't assume they're private just because they're encrypted. Employers can and will install SSL certs on your desktop machine so that they can decrypt and scan/archive everything at the gateway. This is standard practice in financial companies, and is easily done anywhere.
They can also install screen capture and key logging software if they want, but that's less common and without disclosure is a lot shadier (although certainly legal in the US). I wouldn't expect it most places; it's a more extreme step.
But never trust encryption at work unless you know your company's policies.
If the employer had physical access, what would prevent them installing a rootkit? Then you couldn't detect a fake certificate no matter what you tried. Or deeper, if you distrust the provided software, what makes you trust the hardware? It's turtles all the way down ;)
I'm not talking about anything shady here. We're told that they're going to update our desktop SSL certificates for this reason. Partially CYA, partially compliance/legal. I'd probably quit if someone were keylogging or screengrabbing my work machine without my knowledge, but I'm not talking about employers being sneaky.
And this is exactly end-to-end encryption that the original thread responder mentioned; I know it's in place so I won't connect to my personal accounts from the work machine. That's what my phone is for (and I won't use their wifi for my phone, either).
The OS should have a trusted CA list somewhere (not sure where OSX does); checking that it matches a fresh install should be the first step. Note that there might be multiple lists - Firefox, for one, tends to keep their CA list separate.
