We have a secure calendar. We don't want the public seeing it. We've been able to deactivate and deny access to the public EXCEPT when it comes to the EXPORT TO XML function. The link seems to be live even to the public and generates an XML feed of all our secure events. Google search has picked up on this, and is listing in it's search results. The link it finds is not a page but a direct call to the function: http://www.healthpolicyfellows.org/?plugin=all-in-one-event-calendar&controller=ai1ec_exporter_controller&action=export_events&xml=true which results in a calendar file being built and downloaded. We want this function for our approved users, but not for the general public.
Effectively there is no way (that I can find) to have a private calendar with this function activated.