Anyone with the PDF can click on one of the links and see the entire bibliography … it also allows anyone with that link to edit or delete the citations in the document without the author’s permission.
I tested this just now. I was credulous that it was true, so I downloaded a PDF, opened up an “incognito” window in Chrome (which means I am logged out of Google and Paperpile) and pasted a link from the PDF. Indeed, I could edit citation data from my Paperpile account, and these edits affected my bibliography. (I didn’t try deleting an entry, but there is a delete button.)
This is a major oversight and I hope it gets fixed right away. I can see how it might be nice to share the references in this way, but those clicking on the link should only see citation data, not be able to edit or delete. (Note: I didn’t see the PDF attachments listed in this view, which is as it should be.)