This still bothers me a little. I have a base where I upload attachments of pdfs that may contain confidential information. Each attachment has its own URL, and although they don’t show up on a Google search or anything like that, there’s nothing to prevent someone who didn’t have access to the base to which the attachments are uploaded from accessing them by the URL. It also doesn’t seem to be possible to password protect uploaded pdfs. Any advice on this from a data security point of view?
You are correct that anyone with the url for an attachment can access that attachment. They cannot be protected with a password. The attachments also persist after the attachment is deleted fro Airtable, depending on the length of the revision history.
It is up to you to decide it those urls are sufficiently obscure for your purposes.