I’ve been in contact with support and so far the responses are very generic.
When a direct link is made (i.e. in the s2member file directory without any ? coding etc) the file can be downloaded by anybody.
I noticed my host had nginx and this has now been disabled but still the same result.
This is a massive vulnerability and so far no one has given any help.