It seems people with the direct link can download / view attachments that would have been otherwise not shown to users.
For example, if you uploaded an attachment to EXP00001 and the direct link to the file becomes
Anyone who knows the above URL would be able to access the attachment directly without any authentication. Suggest to check sessions when accessing the /files/ and also check the user’s permission to whether he/she has access to that specific record, e.g. expense claim.
Tested on ERPNext: v5.6.2