HTTPS Ready + Hide the repository.
Encrypt all communication with your site using a SSL Certificate and using https.
If you have full control of; or your host allows, you can use the FREE let's encrypt
certificates or any other valid SSL Certificate.
Keep your file repository hidden!
You can easily place the folder with all your files wherever you want on your server, such as a directory above public_html or even on a separate dedicated drive! That way your files can only be accessed by the preview/download script, and only with the unique code for each user / share. If you didn't, then someone could technically access a file if they knew the file name, but this way, there's zero chance someone can access unsecurely.