When enabling the security option to secure the download folder (configuration -> security, first option, "Download Ordner schützen?" in german) and saving the options,
JDownload creates an .htaccess file which is only suitable for Apache 2.2 or less:
Options -Indexes
Deny from all
This results in all files in the jdownloads folder still being normally accessible via direct access via their path. On Apache 2.4, instead of Deny from all
it should be Require all denied
A solution working for both 2.2 and 2.4 in the .htaccess (borrowed from the, security-wise, typically well-informed nextcloud) could be to replace the "Deny from all" line by:
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
</ifModule>
JDownload version 3.2.63, Joomla version 3.9.3, Apache 2.4.29, MariaDB 10.3.11, PHP 7.2.15, Ubuntu 18.04.2