Agreed. Looks like we need a plugin that
- disables direct access to files in /wp-content/uploads/
- serves up this content after first applying the appropriate level of authentication (e.g. is this user a subscriber?)
Member Access looks promising but it doesn’t have this functionality (yet?):
http://www.chrisabernethy.com/wordpress-plugins/member-access/
