Is using a GUID for an uploaded filename secure?

In this case you could prepare different content for email and for thread. For example, email can have embedded images (not public accessible link).

The only way to keep public link in secret - never show it anywhere. Seriously.

Forums that use the Google login must trust Google anyway.

If you trust google auth, that does not mean you should trust it everywhere. I’d like to say that security does not work such way. You must have proofs that all involved 3rd-party services and users do not compromise security. That’s impossible via primitive shared secret without server side check.