Just in case someone decides to implement the above in an app a much better solution would be to hash the order.id with a customer secret such as
xxx.pdfinvoice.com/{{ order.id | prepend: 'A secret specific to this app user' | md5 }}This would prevent people accessing other peoples invoices by simply changing the id number.