Let’s add a finer point to the term “public”.
“Public” is not the same as openly accessible. Airtable uses an unpredictable and undiscoverable URI for its attachments. Many SaaS systems use exactly this approach. While these resources are openly accessible by those who possess such unpredictable and undiscoverable URIs, they are secure to the extent that you take full responsibility for revealing them ONLY to trusted parties.
Airtable attachments cannot be added [via URL] to a database unless they are openly accessible. If you upload attachments from your desktop, you have [perhaps unintentionally] agreed to transform them from a local and largely inaccessible artefact into a cloud-based artefact with all risks associated with such action.
For sensitive information and where you intend to expose the unpredictable and undiscoverable URIs for these assets, this is not ideal. You need a different architecture or at least a different document management approach. But Airtable does this in ways that are identical to many other platforms and for sensitive data they (and other platforms) are creating risks. Security through obscurity is simply a bad idea.
But, they offer this because you want convenience. You’d prefer a system that magically makes it easy to curate, host, and render attachments and all without the headaches of authentication between two very different platforms - the database app and the CDN where information is hosted.
You have chosen this path because making copies of your information truth (the original documents) is easier than handling the security architecture required and the negative impact it will have on your users’ productivity.
Stop using Airtable attachments as a document management system for sensitive information. Instead, store attachments by reference (i.e., links) to their original, secure, truthful locations. Force your users to re-authenticate when accessing attachments.
To be clear, Airtable - especially its attachment feature - was never intended to be used as a back-end database. I get it - we want to use the information for many objectives. But Airtable provides fair warning about using it as a broad CDN or database platform for other apps.
But even in your Bubble app, I struggle to understand how your non-Airtable users of a private app are able to learn the unpredictable and undiscoverable URIs for your attachments. Please explain - I just don’t understand how this breach is occurring.