Question about restricted files accessible via anonymous private URLs

[Tutasi]

Hello everyone,

We have a question regarding the behavior of anonymous private URLs in Dataverse.

When an anonymous private URL is generated for a dataset, we noticed that restricted files can still be downloaded through this link, even though the file restriction is correctly applied. Accessing the dataset via the anonymous private URL (from a browser where the user is not logged in) prevents the file from being viewed directly, but still allows it to be downloaded and opened locally.

Is this the expected behavior in Dataverse core?
If so, are there any plans to change it so that restricted files remain fully inaccessible (not downloadable) through anonymous private URLs?

For now, it seems that the only workaround is to avoid including sensitive or identifying information in restricted files (e.g., Readme files) when using anonymous private links.

Thank you in advance for your insights and clarification.

Best regards,