What files are able to be downloaded? Are they files that you store in an entity that inheits file document? If so, have you checked the access rules?
Are these links created by the deep link module that triggers a microflow that downloads these files? if so, the deeplink has a checkbox called "allow guests".
These are not any entity related or deep link related documents. Once the mendix mda files are deployed in the application server, we have a Forms folder (forms/en_US) containing mxf files. These files can be accessed without login to Mendix app, using direct links in the format http://server name /forms/en_US/*.mxf. We want to block the direct access to these files.
Not sure if it's applicable, but you have an attribute called 'DeleteAfterDownload' in System.FileDocument.
If your 'file' inherits from System.FileDocument, you can set this attribute to 'True' if you create it. After downloading the file (like a PDF-document), it will be deleted from the Mendix file storage, thus making it inaccessible even if you do have the URL to the document.
Sigil inherits from System.Image, which in turn inherits from System.FileDocument and has the DeleteAfterDownload attribute.
Set the value to 'true' while creating it.
Now, the Sigil image will be deleted after it's been downloaded.
(Note: in this case, it's an image that will be only downloadable once. Doesn't make that much sense from a practical point of view, but I use this just to illustrate a possible approach).