Moodle stores the files uploaded by the users in a data directory. This directory should not be accessible to the general public over the web, that is, you should not be able to type in the URL for this directory and access it using a web browser. You can protect it either using a .htaccess file or by placing the directory outside of the web server's documents directory.