If I email a customer using Support Ticket, and attach a document by uploading it first, that document appears to be publicly available, via /files/. , even if you’re not authenticated at all. (at least when running via bench start).
This is of course completely unworkable - that document could be sensitive.