You are correct that anyone with the url for an attachment can access that attachment. They cannot be protected with a password. The attachments also persist after the attachment is deleted fro Airtable, depending on the length of the revision history.
It is up to you to decide it those urls are sufficiently obscure for your purposes.