I did some test and I experienced the following:
If I upload an attachment from my cumpoter as private (closed locker icon) to a helpdesk issue, then I can chose that file (from already uploaded file list) with an another user who dont have access to helpdek. After that of course this second user also can read that attachment.
If I go to file manager with this second user I dont see Attachemnt folder or those files. (I think its good).
I read doctype should manage the file access. Is it okay, or I found a bug and should I report on github?
Keep up the good work!