Unprotected private access - isn’t that a bit of an oxymoron? How can it be private if you don’t exclude access in some way? There is another way to show only certain people a specific folder.
You could disallow everyone to a specific folder except people from a number of specified IP’s or a dynamic IP domains using .htaccess. This might work if you know that your clients will only be accessing the folder from those specified ip’s or if they have bought a dynamic IP address and know how to use it. Once you know their dynamic IP domain or static IP address, it’s just a case of allowing only those IP’s and dynamic addresses to view what’s in the folder.
Keep in mind though: now you’re placing the onus of security on the client. You’ll have to assume they even know what you’re talking about. You’ll have to ask every wholesale client for their address. They can only access your folder (and consequently the form contained in the folder) from a specific IP or dynamic address. If they’re out on the road and they want to access your form from the public library or a friend’s machine, they’ll be out of luck.