I'm not sure I follow. I'm thinking of a Google Docs link where anyone can access the document if they know the URL. How is that like an SQL injection?

Often times, part of a URL is fed directly into a database. Tweaking this part is how you do SQL injection, which then gives you access to documents you weren't originally authorized for.

It sounded like Thomas's point was that if you base legal claims off of the mere fact that URLs are used, then you must consider all types of URLs. One type of URL is a kind that performs SQL injection, which gives you access to unexpected documents, which is already quite illegal.

Such URLs are fundamentally accessible by anyone. (Anyone can type any URL into any browser, so hypothetically one could inject SQL by accident and end up with an unauthorized document.) So if you consider URLs enough to determine whether a document is protected, it must be true that many private digital documents on the planet are in fact public, because many private documents are vulnerable to SQL injection.