Given that orders’ data is private I would expect that orders’ uploaded files would be private as well. Nevertheless, they are publicly accessible from “wp-content/uploads/ppom_files/”, so please make them private as the other orders’ data.
Thanks but that .htaccess file is not a valid workaround, because thumbnails should be private as well; and with that rewrite rule, shop managers cannot download confirmed orders’ files.