Why does it matter? Most likely the user wouldn't know to go to the .load URL, and even if they did, they will simply view a poorly formatted version of what they can already see elsewhere. If the action needs to be protected via authentication, then decorate it with an Auth decorator, as any other action.
Anyway, this is not part of the public API so not guaranteed to remain backward compatible, but I suppose you could always do:
if not request.cid:
raise HTTP(404)
But again, if the action needs to be protected via authentication, then use Auth decorators instead.
Anthony