Maybe I am missing something but can someone not just guess shared secrets? OK - they are random 32 character strings but if I start guessing at random I suspect that before too long I will hit one that is used by somebody. So whilst it might be hard (impractical) for me to guess a particular person's folder code surely it is quite possible to land some data that I should not be intended to see.....