For directories containing "private images" or sensitive data, simply disabling indexing is not enough. Proper authentication (e.g., Basic Auth, OAuth, or application-level login) must be implemented to prevent direct access to the files even if the URL is known.

Instead, I can write an informative article that explains: