There is a Deeplink module https://marketplace.mendix.com/link/component/43 that allows you to generate the link. The link together with a pin (and encryption/decryption) can be used to link that link to a PIN. But, if not logged in to the system as a user, you can not add Microflow logic to prevent Anonymous users to download any file that is allowed to be read by Anonymous users. Of course, this requires some skills and knowledge of the system, but you can not prevent it if you build it like this.
You could create a cryptosystem that stores the files encrypted and in a Nanoflow, using the PIN/secret to decrypt it. It can be done with the modules in the Marketplace, like “Community Commons”. Or create a Java Action using the Apache Common Crypto. In that way, anonymous users can download encrypted files, but it will be useless to try to read them without the PIN/secret. But this makes the system store files multiple times if you need the file in multiple projects.
If you create a large table that can be used as a lookup table from PIN to Secret, and use some part of the pin to identify the project, you could make it store each file only once and reuse it in multiple projects. This is less secure than the previous option, but will keep the file safe from disclosing without knowing your way of doing it (security by obscurity). Your way of doing it must be made available in a Microflow or Nanoflow and these Flows you should not expose to a button. Thinking of it, this is a challenge. Maybe it can be decoupled using a Task Queue, but I need to think a little longer on this concept (and build an example myself).
If you have the option to license the App, you would have all the functions to make it very secure, by giving files the context of a logged in user and his/her relation to projects etcetera.
DM me if you want to discuss this in an online session.
Go Make it.