The security pattern of a URL with a random string is security-equivalent to a pubic username and a random string password, and also equivalent to the security pattern of a bearer token: so long as the URL is shared only with authorized users, it's the same security hardness.
The pattern can tune the security by using more randomness, such as more characters. There are implementation areas to consider, such choosing a random number generator with high quality randomness like /dev/urandom. There are some access control areas to consider, such as all the people having the same bearer token, which means there's no way to do finer-grained permissions per-user or per-role or per-attribute. There are some user interface areas to consider, such as if a user/agent doesn't treat the URL as secret, because it shows content rather than masking characters such as "*".
For comparison, "security by obscurity" means there's a weakness in how the security is built, such that if you saw the source code, or the physical insides of a lock, then you would understand more about how to crack the security.
In URL pattern, an example of security by obscurity would be if the URL string was not actually random but instead was simply incrementing, or was based on a reversible function of the time or username, etc. If you read the source code, you would discover that there's guessable sequence or guessable trick, and thus become much more likely to break the security.
Edit: I strongly favor higher security, and fine-grained access control, and multi-factor authentication, and UI/UX masking, etc. This post is just to look at security by obscurity.