I was working on a project and shared a link of a GitHub file to another person, the person was not able to access it because he did not have access to the repository. I was surprised because the same person was able to access the file from the same repo when I shared another file a few days back. So I went back and checked the URL I had shared with him, the only difference was that the URL that I had generated earlier was the URL that gets generated when you access the raw version of the file(shown in the image below).
Now, when I checked on the reason for this behavior, it seems like the URL generated for the raw version contains a time-based token that is supposed to be used by the user who is generating the URL and is not supposed to be shared.
The question is, is it sufficient enough to enforce security? Can user access checks not be applied to the raw URL also?