When adding a File that is already in the System as an attachment, frappe creates a public copy of that file. See Attach creates public File Copy · Issue #20938 · frappe/frappe · GitHub
Related Topics:
After seeing the github issue, I think that this is quite a big security issue!!
Can anybody from Frappe comment on this?
I agree with this assessment - this is a major issue with documents that shouldn’t be made public. For example there are signed invoices or other business sensitive documents being attached which are being made public.
What I’m finding is when a document has an attachment set to private, the attachment remains private. However if I cancel the document and amend it, the attachment now becomes public without making any other changes to the document.