The reason to store the files outside of the webroot is to prevent site visitors from accessing the files directly by typing in the URL:
coolFile.mp3
There is not a way to lock access out by URL but still allow access through the Download server behavior.