Or if you can bruteforce the secret, or if there's a vulnerability in the secret, or if... You're relying on the fact that the cryptography will be impregnable, rather than adopting an actual security posture.
Do not trust the data you send to a user, to remain secure.
No. It's relying on both cryptography, and the inaccessiblity of information. Which is a tried, practiced, and often federally mandated, method of security. Controlling who has access to information is sorta security 101. Don't dump your database to the Internet.
Security through obscurity is allowing REST commands to the /totallysecretaddress/neverleaked/ URI.
Do not trust the data you send to a user, to remain secure.