If the files are in a directory called say "t14s4otw" then only somebody that knows it's there can see it. This is in effect a password,
and just as secure as the password protecting your FTP login.

You can increase security by using ".htaccess" authentication, if your server is running apache. Run it over "https" to prevent snooping, and it's about as secure as any system connected to the net can be.

Have a look here:
http://www.theriver.com/trwrc/htaccess.html