"Harder to guess" is never a viable strategy. Either your application allows access to record 3 for User X or it doesn't. Guessing should have no part in controlling that.
To enforce an ability where it "doesn't" means filtering requests based on a user with a known profile. If logged-in User X is allowed to see only records which match a certain pattern, then your app has to mark records so that pattern can be searched for, and queries have to be dynamically generated based on user pofile data to find that pattern.
-- gw
First things first.
If you build already a great web application and your control of
resources are adequate then perhaps it is time to play with urls.
Most of people struggle to get urls more Google friendly or human
readable, I hope that you have a clear idea on what you would like to
achieve.
Any hoe you can make some kind of hash function that will do mapping
from hash value to and from :controller/:action/:id format. Little
helper function and some route mapping and you can be on your way to
make your great web app with adequate control of resources even better
with links harder to guess.