If you have sufficient permissions to look at an image or movie in an album, you can grab the URL for the full-sized image/movie in the page source.
That full-sized image can then be obtained directly by inserting the URL in the browser and the webserver will happily serve the document.
Knowing that pictures usually come with a serial number IMG_212.JPG, you can easily try other close numbers and you are likely to get other content, even when you wouldn't necessarily have permissions to get them.
Instead of giving the URL directly in the page source, wouldn't it be more secure to put a URL like <img src="getimg.pgh?id=albums/blahblah/blahblah/IMG_2000.JPG" /> and verify the permissions from getimg.php script. Then, you could just disable serving certain files in the webserver with directives:
<FilesMatch "\.(gif|jpg)">
[limiting directives will go here]
</FilesMatch>
That is well known and not a matter of security. Loading the image dynamically as you propose would cause an enourmous load on the server that would bring down busy galleries pretty soon, so it's not an option.