Why not just pass a session id/key to the second URL* and allow that new page to retrieve the data you don't want exposed?
*or use a hidden field on a form submit.
BTW the limitations you're hitting have nothing to do with Arc or Closures, but rather are just limitations of Browser/HTTP technology (which are by design).
