My apologies but I don’t think you have understood. The privacy rules are set, I only uploaded the file once, the file is attached to a database entry where the file attachment privacy rule is set, no one who is not logged in should be able to see the file. The first link shows this has worked. But if I change the beginning of the link, the file can be opened anyway.
“when you access it from editor, Bubble generate a different url (this is the “see file” URL).” I think this part of your comment is what I am talking about => yes it does generate another URL but the URL is only different in the beginning string, the end string stays the same.
Again please feel free to send me a link to a private file to test this, I think by changing the beginning it can be opened regardless of being logged into the editor or not.