By default, PaddlePress PRO will protect download files inside of the wp-content/uploads/paddlepress-downloads/ folder with a .htaccess, but this will only work if your site is running on Apache. If your site is running on NGINX, the download files will not be protected and will be able to be downloaded by anyone.
Depends on the server configuration, please locate where your server{} block lives and add the following line:
location ~* /wp-content/uploads/paddlepress-downloads/ {
deny all;
return 404;
}
If you don’t know which web server you are using, please reach out to your hosting provider along with a link to this support page.