Store files privately. Never expose direct links.
Authenticate every access through your backend — validate user → fetch file → stream it.
Use short-lived tokens if needed, and log all access.
Security by design, not by obscurity.