The intended functionality :D
Since this behavior was closed as intended functionality half a year ago, I'll share it publicly to aid possible OSINT investigations / stalkers in the future :D
Summary: If a private profile has a collaboration post with a public profile it is possible to access the post and the collaborators without authentication, only by knowing the private profile's username, thus expand the possible connections to the target of the investigation.
By opening https://www.instagram.com/szh4ck3r/ (unauthenticated) the browser will make a request to https://www.instagram.com/api/v1/users/web_profile_info/?username=szh4ck3r (old instagram API) which would list the user's collaboration posts with public profiles.
"coauthor_producers":[...] contain coauthor usernames of a post, which could be used for further investigations.
Since one of the coauthors is always a public profile (by using this behavior) it's now time to get the follow{er,ing} list to expand possible connection list once again.
To dump shared pictures of a private profile just use a simple grep -o display_url":"[^"]* to get all post URLs and a | sed 's/\\u00/\%/g' to get rid of Unicode URL encoding then download/open the clean URLs.
