If your "included content" nodes need to stay inaccessible, then consider blocking /node/* on the webserver "location = /node/*" level. Default deny access to all /nodes. Default allow access to nodes that received a path-auto path like /pages.
(The basic .htaccess password for subdirectories is a decent way of blocking accidental search indexing by external crawlers, too.)
You can never guarantee that a node will not become accessible via a contributed module that happens to be installed in the future, or one that you do not fully understand yet. (Search results, listings, default views, taxonomy category overview ...)
It is what nodes are for.
Is the privacy of your "included content" that important to you? If so, then ...
Everything that has an URL will eventually be hit by google.
Because search engines do not rely on link spiders alone. They also evaluate browser feedback etc. No robot.txt, or pathauto, globalredirect, rabbithole module will help you sleep in peace. If the node can be accessed, then it will be indexed. Maybe by your own browser/addons.
Reconsider if "content that is to be included" should really be a node, if noone should access it as a page?
If your "included content" would be stored inside a mini-panel/block/snippet/bean/..., then you are at a much lower risk of it ever being listed, or ever appear as a page with an automatic URL you don't know about, yet. (taxonomy overview pages, search, views ...)