The problem is still the same: there will be a 3 in a million chance for someone to find the private key I sent. That's an unacceptable risk.
Not just any someone, it would have to be someone who is a MITM. Otherwise, you will know the key was stolen if your friend has not received it. Crosspass will release the shared secret only once, and expire the PIN.
That's different than what you said on your website:
note that the Lookup ID is not secret, so you can make it public without any loss of privacy.
This makes it look like you can post the Lookup ID on social media.