On a new install, at least, you can configure CiviCRM to save file uploads to a different directory by changing Directory Preferences→uploadDir.  It would suit our purposes if this was a non-accessible directory; then our extension could serve the files to people who were authorized to view them.

[CiviCRM recommends making this configuration change](https://civicrm.org/advisory/civi-sa-2014-001-risk-information-disclosure).  Given that, I think we can count on administrators to have done so, and be satisfied with the security on the uploads directory, even though it's out of our hands.

Note that we'll need to be careful to make sure files go to `uploadDir`, and not `imageUploadDir`, where anonymous web access still needs to be allowed.