phpBB files are served through a script and are already "secured" through permissions. e.g. only the sender and recipient can view an attachment sent in a PM. Attachments posted to forums are based on group permissions. If you have a private forum a group that has no download permissions they cannot view files posted in that forum. Note I said download permissions because you can allow the downloading of files and deny access to the forum.
As side not be aware when using a caching service like Cloudflare if you enable caching of file.php download permissions go out the window.
The secure downloads should be self explanatory and adds additional layer of security because you can include/exclude downloads by IP etc. It's effectively a firewall but just applies to attachments. The usefulness of this is quite limited.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”
Attributed - Thomas Edison