If a user (for example a student) tries to access a non-existent course pointing to its URL, Moodle returns a 404 error. If the course exists and the user isn't enrolled, Moodle returns a 303.

Although knowing a list of course IDs this is not exploitable information, it would be good practice to treat a course page you do not have access to the same as if the page did not exist. This will also avoid any "fingerprinting" of the potential size of the site/institution based on number of courses.