I advocate storing images and other BLOBs in the file-system, indexed by a nonsensical key such as a UUID. It is absolutely impossible for anyone to "guess" what a valid UUID would be.

Upon receipt of such a URL, your program looks-up the UUID and makes sure that the user is entitled to receive it, then serves up the contents of the file... which is not otherwise accessible to the user.   If the user is not authorized, fail the request, and don’t say why (except in the server logs).

In this way, you provide a secure and “opaque” reference to the data, while using the file-system (or the SAN or what have you) for what is, after all, its intended purpose in life:   as a database designed to store millions of arbitrarily-sized and potentially-large objects called files.