How are the protected downloads handled? Only by obscurity?

In the member plugin, how are protected downloads handled? Is masking the url the only protection it delivers?

If I used the membership plugin for 1 site within a multisite installation, and set up a protected folder with a unique name to mask it, couldn’t someone just know that files in a multisite installation are stored at /files ? Seems pretty pointless or am I missing something?

Ultimately I want to protect files from being copied and pasted into the browser address bar if the url is shared. This is probably more of a .htaccess thing though isn’t it?