It's encrypted in your browser. The server only ever stores ciphertext, and destroys it the moment it's read.
…or on first view, whichever comes first.
Adds a second factor that isn't in the link (derived with Argon2id). Share it separately from the link.