Hi,
I have some security issues with the module when using it without modifications.
I set it up using the installation procedure (https://aamportal.com/article/protected-media-files-installation) :

• Added Apache rewrite rules at top of my file
• I have a standard upload structure
• I'm using this plugin in cunjunction with "Advanced access manager"

When I try to access using lastest official release, the following URL displays my config file :
/?aam-media=wp-config.php

I had to patch the _isAllowed function to set the default action as "false" (disallow access by default)
Can it be related to "Advanced access manager" default settings ?

Moreover when installing v1.2.3 and patching _isAllowed, other restricted ressources are no longer restricted, maybe a problem with the
"realpath" addition.

You may find the release I'm currently using in the merge request I proposed

Thanks for your feedback.