> but also the timeline strongly implies that a specific source was simply guessing the URL of the PDF long before it was uploaded

A bunch of people were scraping commonly used urls based on previous OBR reports, in order to report as soon as it was live, as it common with all things of this kind

The mistake was that the URL should have been obfuscated, and only changed to the "clear" URL at publish time, but a plugin was bypassing that and aliasing the "clear" URL to the obfuscated one

https://obr.uk/docs/dlm_uploads/OBR_Economic_and_fiscal_outl... 5.pdf

Not hard to guess really. Wouldn't they know this was likely and simply choose a less obvious file name?

It sounds like a combination of the Download Monitor plugin plus a misconfiguration at the web server level resulted in the file being publicly accessible at that URL when the developers thought it would remain private until deliberately published.