I'm sorry, Sid, that I'm answering a little late, it was a fun weekend, I came to my senses quite recently... 
The wappler can solve this problem without interfering with the docker-compose file at all. If you open the project settings, you will see the folders for saving files field:
Note that the folder is located in the root of the project, and not inside the public folder:
After that, a volume binding record will be automatically added to the docker-compose file:
The need for manual intervention in docker-compose will arise only if you have already created and are using a folder for download files, but you need another folder. In this case, you will have to make an entry of the volume binding in the docker-compose file yourself.
The only way to reliably protect files from public access is to place these files outside the public folder. Therefore, you need to create a folder for download files outside of the public folder.
Yes, your train of thought is correct. 404 is a "Not Found" error. Most likely, it occurs due to the fact that since the folder with files does not have a volume binding in docker-compose, after you deploy the project on your host, files from this folder are not transferred there and it is empty. For this reason, the error 404 is returned, because there are simply no files.