Agree with Eric -- FYI - we just discovered that all attachments in ClickUp are public--facing, (e.g. when they are an attachment to an email to a support@ address that becomes a ClickUp Task, or when you email out from within a Task and someone replies and includes an attachment). Because it is really relevant to how our team hopes to use threaded emails, I wanted to share it with the folks on this Feature Request. See https://clickup.canny.io/feature-requests/p/dont-make-attachments-available-externally-via-url-unless-specifically-set for more info, in case you also find it relevant.

If that information is not only private, but confidential, then don't store it as an attachment.

Anyone with the attachment URL can download the file. Copy the link and go into incognito mode (not signed on), and you can download that file without specifying a secret key.

This is "Security by obscurity" and "Security experts have rejected this view as far back as 1851, and advise that obscurity should never be the only security mechanism." source: https://en.wikipedia.org/wiki/Security_through_obscurity

The default should be that only signed on users can download the file, and then only those who have permission to the task and attachment (if attachments can be made private).

The API should also permit a way to download those files using the security mechanism in play with the API.

This would be absolutely super useful! For example. if I want a contractor to see my Client's information which I have containined in a task, but not to see the quote I've supplied to this Client, then I would need to have the quote only visible to me and not guests.