If the RSS feeds are retrieved over HTTPS then there's no moreHuh?
HTTPS does nothing to authenticate that the person using the URL even has an account at Groups.io, much less is a member of the specific group.
A member-specific token (hashed) helps somewhat by preventing non-members from obtaining a valid token merely by visiting the group's home page.
But if a member forwards or posts the tokenized URL somewhere then it is game over. First someone would have to detect that the URL is being misused, and then there would need to be a means to repudiate the token.
Both are possible*, but detecting that there is misuse is by far the more challenging. Even if the perp does something so blatant as posting the group's messages on a public blog it can be a considerable length of time before someone stumbles upon that fact.
*An URL with an embedded token is in fact the means by which Flickr implements the "Guest Pass" feature, and those tokens can be repudiated. It is also the means by which the former Yahoo! Groups implemented an ability for members to retrieve message attachments from the site without being logged in. I think Google Photos' Shared Album feature works similarly, and I think there are many other examples of quasi-private sharing by means of a secret (tokenized) URL.
However, except Yahoo Groups, the examples I can think of are all situations where the person creating the "share" link is the owner of the shared content. This is not the case with the messages of a Groups.io group.