Hi @graffte - See this other forum post for some more details and background: File attachements public by default? If so, what's the best strategy for making them private?
The summary is: by default Drupal saves files using the “public file system”, which puts them in sites/[url]/files, and although that cannot be browsed by the public, if someone knows the exact URL of an uploaded file they can go to that URL directly in a browser and see the file.
So it is “security through obscurity” right now, which I agree is not ideal. The only way it can be exploited is if someone knows an exact URL of a file. Worth noting that this has nothing to do with the “database” of farmOS (log, assets, area records/relationships/history). It is only uploaded files.
The solution to this is to switch to using the “private file system” in Drupal, which forces all requests for those files to go through Drupal’s access control logic. I am hoping to make that the default on Farmier hosting. It hasn’t been a big priority, but now that you bring it up my interest is revived. 
Hope that all makes sense. I may be able to enable private files on your farmOS specifically as an initial test. Direct message me with your URL and let’s give it a try. One of the main considerations is that I’m not sure how it will work if we switch from public to private after files have already been uploaded - but if you haven’t uploaded any then that isn’t a problem.