I have a few articles that are marked Public and the attachment link is checked. The understanding of the KB Manager is that the Public role is so that all company users can read the article which is what is required. I understand the public role on an Article makes the KB article available to all outside users. 
Which is correct?

During the search of a KB article in our Service Portal, when the article is found, a user can copy the link the KB Article and paste it in a private tab and access the attachment in that KB Article without logging into our SSO. The attachment automatically downloads.

We do not want the KB article's contents, in this case the attachment available to outside users who are not logged in.

If I uncheck the attachment link box, and the user does the same action, the file that is downloaded is a HTML stating that the security check did not pass.
Also, when I remove the public role from the article, it does the same.
This is what we want, but our KB manager wants the role public and the attachment link checked so all company users are able to access the KB article.

The concern here is that the link from article references the sys_attachment table and not the kb_knowledge table where the KB article resides. How is an outside user able to access the sys_attachment table without logging in and can we lock it down?

Below is a sample of what the link looks like when the attachment link check box is selected.

https://ourcompany.service-now.com/sys_attachment.do?sys_id=(sample.pdf)&sysparm_viewer_table=kb_knowledge&sysparm_viewer_id=(kb article sample)