Hi @henryg
The links are encoded and difficult to guess - for example, they contain more than just alphanumeric characters. My colleague explains this a bit more here, using an example string from the URL:
If you wish, you can force the client to enter a password. This can be enabled on a client-by-client basis:
Hope that helps!