I noticed that Facebook does this too. If you share a photo or video in a secret or closed group, then you do have to be a member of that group to view the post. But the raw photo and video have URLs that anybody in the world can access with no authentication checks at all.
A long URL is essentially an authentication check. It's long/complex enough it can't be guessed, same as an auth token in your cookie. I'm not sure what guarantees they have regarding changing access, deleting images, etc but those would be the trade-offs. The advantage is the CDN doesn't have to perform auth checks which speeds up response times.
That said, I was under the impression Facebook's CDNs did support auth checks from cookies, such that passing URLs around didn't bypass this. So I kinda doubt the claim.
Alternate model for how I would guess this works: Facebook CDN urls are unauthed (in the sense that the CDN probably doesn't know how to evaluate the entirety of Facebook's permissions model). Instead, the web/api server that enforces permissions checks will hand an authorized client a signed CDN url that expires in some bounded time. If that url leaks, anyone can view the underlying image, but only for a short window, after which a client would have to go back to the auth-aware web/api server to get a new signed CDN url.
