We use Marketo forms on our web pages, via the embed code, and we use the same form for all assets. We are displaying the actual asset as the follow up page, so we use the forms2.0 API and include the URL of the asset as shown in the 2nd example on this page in the developers site, so we end up with a line in the js code like this:
location.href = "URL-of-Asset.pdf".
Therefore the URL is accessible to indexers.
I'm not too concerned about the user displaying page source to find it, but the google indexer, ah, that's a different story.
Of course, we could switch strategies and send them an email with a link to it. With program tokens, we can use a single email and follow up page for all assets. Might be just as easy and the problem goes away. Open to ideas.
So the suggestion is to use a robots.txt file to limit access to the folder where the assets are located? (our assets are not hosted in Marketo).