I’m not a developer with experience in WPengine or nginx, but my understanding is that this is expected behavior. Unless you are using some type of directory protection/passwords (which is rare) the server does not determine whether a user is logged in or not before serving up the file. (i.e. anyone hitting a direct link to your protected file will get it, or no-one will.)
For this reason, s2 blocks direct access to the files, and makes a shortcode
[s2File /] (if I remember correctly) that you can use to allow file downloads – but I’ve never used it personally.
On my site, I opted to do something different and I built my own simple, two-part script to solve my problem. (I wanted to primarily hide the location/name of the original files & directories and I don’t know if s2 shortcodes do that.)
The first part of the script checks a users access capabilities (logged in, is allowed access to the file, etc.) and if so, it redirects to a second simple script that downloads the file. If a user doesn’t have access, it either stops, exits, or redirects to an upgrade page (I don’t remember which right now).
If you are handy with PHP, here is the StackOverflow question/answer that I had asked which includes some useful information.
Hope this helps.