This is an important point, private videos should not be impacted by this as knowing the URL isn't enough to access the video. Unlisted videos are indirect-object reference by design. It's poor security, but the user is expected to understand the tradeoff (if they actually do is questionable).