Basically during the Content Structure definition, when you have a File field instance, you can choose if you want to store those files on the public file structure or in the private file structure. (normally public by default).
If private option is selected, then the file will follow the same permissions as the content it’s attached to, and even accessing the url won’t work.
Please note that uploading the files directly on the private directory using webdav doesn’t have the same effect, it needs always to be uploaded using Drupal and with the Upload destination as Private.
provided “two useful features which Drupal itself is missing: a simple permission to allow downloading of private files by role, plus the ability to combine both public and private downloads”.
Compatible 7,8,9, Stable releases and covered by the security advisory policy.
We use this module with roles and work well, I never test for a single user.