The direct link to a file shared via password protected share-link can be accessed without a password.
Not the https://cloud.whatever/f/whatever but the https://cloud.whatever/seafhttp/files/someid/whatever.name link.
Even if you remove the share link, the direct link still allows download.
(even deleting the file does not help, not even clearing the trash)
This should be looked at.
Using latest server version.