The method in place now is much more secure than the previous method, which had zero protection.
The Options -Index prevents bots or users from browsing the folders and locating the files. It does not, as you noted, prevent anyone from accessing the file if they know the exact URL, but the exact URL is never given out.
If you can provide a better solution, I'm all ears.
The current method still allows your files to be outside of the root, though I don't quite understand how that would work here because nothing outside the root is accessible via your site's URL, ever. The only way that works is if you provide the system an actual file path to the files, but EDD doesn't (and never has) allowed that.