source code responsible for this behavior: https://github.com/bitcoin/bitcoin/blob/086cb336cd8ac0b2a7ad9ff0544c014569c7db38/src/wallet/wallet.cpp#L557
1. Launch Bitcoin Core for the first time (with an unencrypted wallet).
2. Generate 3 receiving addresses.
3. Encrypt wallet and restart Bitcoin Core.
4. Generate 5 receiving addresses.
This means that the first 3 private keys were exposed unencrypted to the hard drive, but the second 5 private keys were only written out encrypted to the hard drive. Am I right?
Yes, those keys that have been shown to the user before the encryption will still be part of the wallet.dat and thus stored w/o encryption. Those that have been generated afterwards will never be stored without the encryption (well unless you export them manually or something similar).