Yep, it does look like /run needs to be added. My PRUNEFS= line has tmpfs on it, but while this stops updatedb from indexing /run itself, it doesn't stop updatedb from traversing /run into any filesystems mounted under it (such as those under /run/media). Well spotted.
slocate will only list files that are both currently accessible, and readable by the user running the query. So, unless your kids have root access and are knowledgeable enough to try and run something like 'strings' against /var/lib/slocate/slocate.db then daddy's nocturnal activities involving "stuff" should remain undetected.