Hi @Map_Sync - unfortunately, no specific tool. I used the needle in the haystack approach and tried to open each layer in the app until it was evident which were private. Your earlier comment regarding the second and a half window before getting bounced to sign is true for the ui experience. However, if you open the developer tools for your browser, you can easily persist the traffic from the initial page load. Which is then basically a log of the network traffic when the app loads all the layers in contains. In my case, I used Chrome's dev tools (CTRL + SHFT + I will open them).
The network tab in dev tools is where the traffic can be found. Selecting the Preserve log option (highlighted) below will keep the log as you go from page to page (especially nice in scenarios like this). I also filtered content to only urls with "Server" in the url, which should be all feature services and map services. Not always the case the offending url is a feature service or map service (or ArcGIS service in general) but most often, it is. And selecting the XHR option will further refine the network traffic to only include cross-domain requests (which basically excludes html / javascript traffic and generally returns service requests). So in this case, filtering on 'server' and XHR is a bit redundant but both are useful on their own.
Once I had the list below, I opened each unique request in a separate tab until it was clear which were unshared.
All of this can be done in Fiddler or any other tool that captures network traffic.
note: the screenshot below is from a sample I set up..not the app Jonathan posted.
Cheers
Chris