If I have a link to one file, I can download it regardless of whether I am logged in or not.
For example, I set up a wordpress install at mydomain.com/testwp, then installed the plugin and uploaded a couple of files. From a completely different machine I can enter this URL and get a file:
[OBVIOUSLY THAT IS A FAKE URL, ENTER YOUR OWN]
That will download a file that is in the system regardless of who goes to that link.
Additionally, simply by incrementing the FID, I can download all of the files in the repository.
The only security that seems to be enabled is to hope that someone doesn't figure out your URL. Any single user that has access to one file can now get every file on your system.