I’m probably missing something, but in my more recent testing file attachments for logs seem to be publicly accessible (without logging in) - at least if the url is known.
Is this expected? I don’t see an obvious way to change these attachments/uploads to use Drupal’s “private” upload location and most of the tutorials/instructions are based around content types which have been configured through the Drupal /admin/structure/types page.
That is true - the default config is “Public” file system, which means uploads to logs, assets, and areas are not behind password protection. But you do have to know the URL to see them. Note that this is not the case for CSVs uploaded to the importers.
The other option is to switch to use the “Private” filesystem in Drupal. I’d love to switch to that as a general default if we can figure out the migration path.
most of the tutorials/instructions are based around content types
Right, so Drupal comes with it’s own entity type called node (aka content types), but we don’t use that. We provide our own (log, farm_asset, and farm_plan).
So we’d need to make changes in a few places I believe: there is a global setting at /admin/config/media/file-system. That may be all we need to do. It is also possible to override the default on each file and image field instance (on each log/asset/plan type). I think that’s probably the process you found, only it was related to nodes.
The bigger question is: do we need to also migrate existing files to a new location in the process? I’m not sure how changing this setting will affect existing files, if at all. If you are interested in testing that, please do and let me know what you find!
This might be worth opening a GitHub or Drupal.org issue for, instead of just a discussion post.
Awesome, thanks for the background! I think I will open a GitHub issue for this with some more concrete testing information - hopefully I’ll have time this evening… 
Update for anyone else finding this topic in the future who is hosting on Farmier: I am in the process of deploying private file uploads to all Farmier hosted instances.
I will continue to update the GitHub issue with relevant details for folks who are self-hosting, as well as continue the conversation around enabling this by default in farmOS (which has some other hurdles/considerations): https://github.com/farmOS/farmOS/issues/263