Hi Gaurish,
You are right about the constructed URL, that will be in that format.
However, Mendix will check your session and your access rights before the file is downloaded. For example: if the downloaded file is of the type “EmailTemplate.Attachment”, it will check if the entity access on that entity grants you the rights to view the content (see access rules in screenshot below).
When running locally, you should set the security on Production to have this restriction in place.
Does that answer your question?
Kind regards,
Johan