If the author edits their post and the reader then follows the "View Edit History" URL, then the reader can see in the address bar the story_fbid= and the (author) id= URL parameters without the obfuscation.

If the reader follows the "People who reacted" URL, then the reader can see the story_fbid= and (author) id= paramaters, without obfuscation.

If the reader follows the "Comment" URL, then the reader can see the story_fbid= and (author) id= paramaters, without obfuscation.

If the reader follows the "React" URL, then the reader can see the story_fbid= and (author) id= paramters, without obfuscation.

Those are just four ways to discover the unobfuscated story_fbid number. There are probably others.

Tested with mbasic.facebook.com.

I have always stripped everything but the story_fbid and (author) id parameters when sharing URLs pointing to posts on Facebook. Anything else in the URL is unnecessary. On the desktop/laptop/RPi, this stripping can be automated using a localhost forward proxy.

Another issue that seems to fly under the radar with Facebook users is the prefixing and proxying of external URLs with https://lm.facebook.com/l.php?u=.