When I was using the iOS messaging app I used:
https://mydomain.TLD/local/some_directory/filename.jpg
The file was located in
/config/www/some_directory/
Everything in the /local folder is available externally but cannot be listed remotely. So if you want some level of security for preventing people browsing common image names change /some_directory to a random string like /asdQQLopHDlgp342nd892/. Then the chance of someone randomly browsing to it is very slim.
This was before the media folder was a thing. I believe I read that it can be exposed to external networks but am not sure how.
EDIT: see here: