This is my first site using the private file system, but as far as I can tell, the only thing that happens when you switch from public to private is that:
- your urls change
- hook_file_download() gets fired when a file is requested. So now you can implement this hook in your code (or get a module that does) and decide whether to serve the file or not.
The Imagecached images get sent to imagecache_cache_private(), which checks to make sure the user has access to the preset before serving the image. But it doesn't check anything else. I believe this means that you could request any image on the site if you knew the name of the preset and the name of the image because Imagecache doesn't check for file download permissions. To demonstrate:
example.com/files/image.png is denied by hook_file_download, but
example.com/files/imagecache/extra_large/image.png will be displayed if you have access to the preset 'extra_large'.
in imagecache_cache_private() I think there should be a call to
module_invoke_all('file_download', $source, $preset) to ensure that the user has access to the original file as well as the preset. The attached patch adds that check.