In inlcludes/functions_download.php on line 199 and line 454 the Cache-Control is set to public.

header('Cache-Control: public');

A proxy service may cache a file in private forums or PM's giving access to someone who does not have access. Minimally this should be set to private. Ideally to leverage a public cache files that can be viewed by the anonymous user could be set to public and set all others to private.