I don't think you set your security properly in the domain model because you can't access other people's objects like this normally if you configured your security to disallow this (with an xpath constraint).
Adding a timestamp after the file id would be 'security through obscurity' and not really safe.
So if you make sure (by setting security) the other user can't access the FileDocument object then he will also be unable to download the actual content of the file.