Author here, I think we're mostly in agreement. Unlisted is a great approach for usability, especially for content with low sensitivity. It's a risk versus effort thing.
I'll point out that users don't always have a perfect understanding of the security websites provide. I'm a fan of Krug's book, Don't Make Me Think, as a model for how users interact with website UI and I think that's often how users interact with security. If you expect users to read, understand, and retain technical information you're going to be disappointed.
For YouTube in particular I noticed a number of articles that explain how unlisted content can leak and how to recover from a leak, so I think the 'may' in the quote is quite correct.
I vaguely remember seeing a small help text on YouTube when you try to share an unlisted video where they tell you as the user that it's unlisted and to "be mindful" about sharing it. I think most people who read that don't understand what that means so maybe that's why I believe they don't show it anymore. I wonder if it has anything to do with that `si` URL parameter that the Share button introduces into the URL.
Anyway, maybe I didn't fully comprehend your article, but it still seems a bit mysterious to me how a database of unlisted YouTube videos could exist. Is it just based on user submissions? If so, how are they finding the URLs to the videos in the first place? In my experience, the way they might leak is if the uploader mistakenly adds an unlisted video into a public-facing playlist, but that doesn't seem to me like it would be a common error among content creators.
We are generally on the same page, and your thoughtful reply got my upvote. I bet we'd agree good UI derives from familiar concepts and offers affordance.
You don't need to be technical to have a decent idea of what "Unlisted" means.
A pretty good analog are the days when White Pages had everyone's phone number printed in them. If you wrote your unlisted number on a billboard or gave it to someone else who compromised it, you wouldn't expect to retain your privacy. There are lots of things on the Internet that quack like a duck but bite like a snake; this isn't one of them. It does exactly what's written on tin.
It's unfortunate (if not surprising) that malicious individuals are compiling the digital equivalent of "Dark Pages", and I salute your effort to raise awareness of that risk amongst web developers.
I grant "Unfair" wasn't a precise enough word, I just felt at that point you slipped from spotlighting unintentional architectural oversights that are fair game, to advocating opinionated change to a deliberate design choice. Sometimes we need real scissors, not safety scissors!
Yes, I think familiarity is quite important. The white pages example is quite dated though. I'm in my late thirties and I think the only time I've seen a phone book being used was in the Terminator movie. So the analogy feels like the save icon being a floppy disk. I'd be curious what the younger crowd thinks.
I'll point out that users don't always have a perfect understanding of the security websites provide. I'm a fan of Krug's book, Don't Make Me Think, as a model for how users interact with website UI and I think that's often how users interact with security. If you expect users to read, understand, and retain technical information you're going to be disappointed.
For YouTube in particular I noticed a number of articles that explain how unlisted content can leak and how to recover from a leak, so I think the 'may' in the quote is quite correct.