You can revoke sharing links, but there are also direct links to photos that work for unauthenticated clients. They aren't presented in the UI as a sharing option; you have to use your browser to copy the link. In other words the only way to make these links public is through intentional user action.

This shouldn't be true any more, I just tried it out by grabbing the lh[0-9]* url for the image bytes and that won't open in an incognito browser without a Google Login. Can you share with me how to reproduce this "url copy"? If you want to send it privately just tack gmail.com onto my username.

Or you can file feedback from the photo web page and just tag me in it.

I just tried it with an lh3 url I got from chrome, opens fine in incognito. Repro easily: from /photo/ page, open image in new tab; copy address to incognito; expected: login challenge, actual: photo.

Ah so it does, but that URL has a bearer token that only lasts for one minute. Try it again after a minute.

Edit: I don't work on this stuff, but have seen it challenge me when trying to do this exact thing.