Yes that's correct.

edit: I guess an easy fix is to append a cryptographic hash to the post ID, but yeah currently I'm assuming you trust your friends.