If an attacker can infer the slug or URL of an unpublished or private resource, and this resource can be embedded (such as a Participatory Process, an Assembly, a Proposal, a Result, etc), then some data of this resource could be accessed.
version 0.27.6
https://github.com/decidim/decidim/commit/1756fa639ef393ca8e8bb16221cab2e2e7875705
Disallow access through your web server to the URLs finished with /embed.html