True! If your customer publishes the URL of a file uploaded to Nabble's servers there is no protection of that file.
But couldn't any of your customers upload the file they got from that "secure" area and upload it somewhere else and then publish the new address? It would take but a few seconds and would destroy the supposed security of your customer area.
Even if you uploaded to the file to some password protected place away from Nabble, what's to stop your customers publishing the address and password?
The fact is, once you've passed a file to someone else you have to trust them to handle it as you would want. Ultimately, there is no method that stop those determined to to crack your security.
If you're really worried, then there are other approaches you could consider that are trickier to crack, such the one the BBC use on their iPlayer - files that destroy themselves after a certain time, or the kind of thing Microsoft does with Windows, and tie files down so that they only open on certain hardware, so you can't install it on multiple machines.
For practical purposes, the best you can probably manage is "reasonable" security and posting the URL behind a Nabble password protected area is, probably as good as it gets.
Volunteer Helper - but recommending that users move off the platform!
Once the admin for GregHelp now deleted.