/local/ vs.?

Did some quick Googling and couldn’t find anything. Please let me know if addressed somewhere that I missed.

Is there a specific folder images / etc. should be stored in order to not be publicly available? HTTP Documentation specifically calls out that:

Files served from the www folder ( /local/ url), aren’t protected by the Home Assistant authentication. Files stored in this folder, if the URL is known, can be accessed by anybody without authentication.

but doesn’t mention other ways to serve files that does require authentication.

Am I completely misunderstanding the basics?

No.

You can’t list the contents of /local though. So if you have sensitive information put it in a folder with a long random name. Almost as good as a password.