The GP commenter makes it clear that the CSV file is written to on the server-side (using PHP) as a consequence of request handling, not on the client side. There is no place that the CSV URL is visible, other than in the PHP source (that clients cannot access) and in the Google Sheet (which is presumably internal to the GP's GSuite domain.)
It's security-by-obscurity, maybe (as all public "secret token" URLs are) but it's better than what you're implying.
As a learning exercise, I tried to find it too, but I wasn't able to get it from the domain in the js file, could you explain how you got to the final file?
This is strictly as a learning exercise, no malicious intent on my part.
It's security-by-obscurity, maybe (as all public "secret token" URLs are) but it's better than what you're implying.