I'm presuming as much from the fact the URL alone is (was) enough to redeem the funds. (no passwords or other auth required).
That said, it's possible there may be some other cryptographic secret only BRD (now coinbase) retains.

Hence, why I was hoping someone smarter than me might take a peek at the code (GitHub linked in this thread) & weigh in.
Specifically, tracing the gift redemption path which appears to originate at the QR code logic linked here:

https://github.com/breadwallet/breadwallet-ios/blob/f90e2083ee1e908fa5793b8f3d659754166513c2/breadwallet/src/Models/QRCode.swift#L48

It interprets a (padded) base64 as the payload to distill a key, but I can't figure out if it's salted with something additional, or pretty much raw (& if I'm just screwing up the basics of unwinding the base58 etc.)