Drupal Association members fund grants that make connections all over the world.
We should add a token to the link output by theme_token_tree_link() based on the serialized token tree options and check that token in the callback of token_page_output_tree(). This will prevent random people from accessing the /token/tree page and being able to see what tokens are available on a site.
This issue was cleared by the security team to be fixed publicly since no actual private information (i.e. token values) is disclosed, only the available tokens themselves.