I guess because the unauthorized thing isn't linked. Giving you the link is like giving you a password... They're both just strings although one is considered to be more secret than the other. Guessing at links is like guessing at passwords: it's overcoming the fact that you weren't provided with the string that gets the server to respond with the stuff.
I don't like this but I think it's how it legally could play out.
I don't like this but I think it's how it legally could play out.