Searching the help forum here, I found that Moneygala asked this question at the end of a thread 4 months back and didn't get a reply. I have the exact same question:
"On the subject of security:
Files are simply uploaded to the 'uploads folder' - by typing the general upload location in the browser, all uploaded files are visible to the public.
Do you have any plans to resolve this or indeed a 'work-around'?"