1) To secure the files and make sure they cannot be downloaded by accessing them directly using a direct URL, you should store the file outside of the root of your server. If security is a question, then yes, the upload form should be on an secure server.
2) No, DFP does not have a feature to encrypt data as it is sent from the clients computer to the server. for this, you would need to use an ssl certificate on the server so the uplaod would be performed behind the Secure Layer.
3) No, DFP Cannot make database or FTP Connections. The files are transited by the form using the multipart/form-data encoding type, then stored ion the server file system.
4) see 3
5) Yes, that is correct.