I will 100% guarantee you that did not happen.
Web developer calls me up — being the local friendly sysadmin — on the phone and says he thinks Google has somehow found the password protected post (the first one made on the site), so I — having never seen the post before — investigate and find the text in the RSS feed.
I have since added:
<location /feed/>
Require all denied
</location>
<location /comments/feed/>
Require all denied
</location>
to the Apache virtual host.
The site is complicated in other ways, and there could be something else going on. In particular, if I test on the virtual host that is used for editing the site, the feed does not have the post. But the DB is copied to a second place for the live view (and on that host, wp-login.php is “Require all denied”).
