- Create a restricted category, and post an attachment in there.
- With another account, one that doesn’t have access to the restricted category, try and access the uploaded file (e.g. the original user has copied the link, perhaps in a forwarded email by mistake)
- User is able to access the file
This is more a people issue rather than a technical one I think, since instead of sharing the link, they could just email the attachment themselves anyway. If there is, however, any way of validating permissions before allowing access to an attachment that could be worthwhile, even a Good Thing™?