I’ve done a bit more investigating – it looks like any file is properly restricted to a certain role *until* a single registered user downloads it, then it becomes available to anyone via the URL. The .htaccess and .htpasswd files for the uploaded content don’t change, so it’s a mystery how permissions could be changing in this way.
