I am pretty sure the files you upload (the .CSV itself) is the file being marked as private, which should work (limit access if not logged in as the user that uploaded the CSV). If you wish for the resulting fields to be private from searches etc, this will have be be handled in the Data Privacy tab.
You may need to add an additional workflow event when the user interacts with your app. For instance, you may need two workflows: one for importing the CSV and another for uploading the CSV document. It may be possible to do this in one event but that depends on how technical you want to get.
I guess my followup question was not understood. Since the uploaded file is not saved to any field, and it is only used for import its data into other fields. My question is: What happens to the file itself?
I want to know that it is not accessible to anyone else.