The built-in upload plugin adds a ‘hash’ to each file name, so it would be difficult to predict any other names, given you know one. You can also set up a reverse proxy in front of Strapi, to prevent fetching the uploads directory as a list. Or you can simply pop an ‘index.html’ file in it, which will then be served instead of listing the contents. Anyone with a link to one file would then find it ‘quite hard’ to read others … But a brute force attack would still work.
If you want to deny access to any file, except to an ‘authorised’ user (authorised, that is, to view only that file) then you possibly need a new middleware module that filters requests for uploaded files and perhaps requires an authorisation header for this particular category. Or you could handle uploads in a completely new plugin and control access within its API routes.