I have my "Download method" in the File system config set to private. But it looks like anonymous users can still access files via URLs like /system/files/some_file.pdf
Looking at the /admin/user/permissions page, I don't see anything that can be used to control access to files via these /system/files/ URLs. Perhaps I should use htaccess to direct people away from URLs with '/system/files/' in them? That would effectively prevent everyone from accessing the files via that type of URL, so I would then need to write a module (with built-in access controls) to allow select roles to access the files via some other URL format. I'm a little surprised that would be necessary, though. Is there no setting in the 6x core to restrict access via these /system/files/ URLs? Am I missing it?