location /private-images/ autoindex off;
The inclusion of immediately raises the stakes. While an exposed directory of public stock photos is a minor oversight, a directory labeled "private images" suggests: parent directory index of private images updated