Securing media while calling "upload"

i managed to grab ALL attachment with the GET API

But wouldn’t be a concerns

  • No row security, what if i only want the GET list user to access to specific attachment (e.g. category is “NOT HR” or “not uploaded by director”)

  • From the screenshot, we can pull the “url” actual link (e.g. “http://localhost:1337/uploads/sample_cbd721d930.pdf”) it’s a fixed url, which mean i can pass it to someone not within the orgianization, they can jz simply access the content?

Based on the 2 concerns above, how can strapi protect the content (with only authenticated access)