My apologies for stating the obvious:
The cache wasn't being kept in the owner's smartphone, as they could access other people's pictures.
Therefore an important question is whether said cache was kept and managed in Google servers or in Xiaomi ones.
And a more important question is why-the-eff said cache was accessible without password + encryption.
This was no bug, it was a feature.