Previously posted by David Rothstein in the private security tracker:
I noticed that when upgrading from D6 to D7 the "view uploaded files" permission goes away completely, with nothing to replace it.
Thus, files which were previously private suddenly become visible to everyone during the D6 to D7 upgrade (when they are converted from the Upload module to file fields). Presumably the only way to fix that would be for the site to install/configure the Field Permissions module, but there is no warning or notification whatsoever about that.
The security team has decided that this should be handled in public as there is not much we can do in Drupal 7 core to "fix" this issue.