The current API doesn't support sending links. It looks like the link is made up of three parts:
-
Individual ID from the FamilyScript file
-
A hash that incorporates whether it is view or edit access, something random, and who knows what else
-
The ID of the family tree.
Since you know the other two, the question would be if the develper would share how the hash is generated. So the real question is, "Does sharing how the hash is generated open any security holes?" That is to say: if you know how the hash is generated, can you generate editing links to other family trees?
If you know all three things, then you can. You know at least one of the Individual ID, and you would now know how to create the hash. But I don't see how you can know the ID of a random family, but you do know the family ID of any family that you have viewing rights to. So you could create a link that gives you editing right.
So it does seem like it is a security risk, so I don't think we can know #2. Unless I've made a mistake somewhere.