robots.txt doesn't always work (why is an open question), but the tag meta content="noindex,nofollow" name="robots"hasn't failed yet.

You can, in addition to robots.txt (for example, generate it here ), wrap the content with tags (see link ):<noindex>...</noindex>

In robots.txt
User-agent: *
Disallow: /section_root
Well, for my own peace of mind, also in head in all personal sections:
<meta name=“robots” content=“none”>
none - replaces noindex and nofollwo

Well, here google-bot even scores on basic authorization, it feels like it leaks passwords and indexes closed sites with absolutely impunity, absolutely hammering on robots.txt. After that, it’s not even clear at all how to defend yourself, apparently it’s stupid not to use chrome, just kick it off on the user agent so that it is not possible to merge the basic authorization password.

Well, I do not have basic authorization and I really like chrome.

https won't help?

well, first you need to understand how the robot gets to pages that are private to you ... if, as it is supposed here, Google Chrome merges passwords “by itself” :) then you should still have an authorized session “merged” in the logs, if not, then you have PROBLEMS, because the robot goes where it was not called just like that :).
Well, cut it off your shoulder, in general, the robot is quite easy to detect, do not let it eat what is not supposed to - there will be nothing to index.