The abililty to read, edit/replace and delete files is primarily determined by:
1) Whether the file is stored as an attachment, in an Article Share Folder or in a Space Documents Tab / Share Folder
2) What permissions an account has been given for the project that the file is stored in
The following is a brief overview of how this works in practice:
Attachments
1) If the file is an attachment to an article that the account has read rights to, the user will be able to read/download the attachment. The article read permission comes either because the account has read rights to the space the article was created in or because the article has been given a tag from a space that the account does have read rights for. (Such "cross-tagging" can only be used to extend attachment read/download permissions, not edit/replace rights.)
2) If the account has edit rights to the article, the user has rights to to edit or replace the attached file.
3) The ability to add more attachments to an article is a separate space-level permission that can be assigned to an account.
Share Folders and Files
Three levels of space-level permissions can be given to an account:
1) Read Share Folders - grants the right to see Document Tab Share Folder / Article Share Folders and read/download the files in them
2) Write Share Folders - grants the right to edit or replace files, to add files and to create new folders in Share Folders
3) Modify Share Folders - grants the right to delete files and folders in Share Folders
Space level Document Share Folders and Files
The space-level permissions that an account has been given determines what rights the user has to all files (and folders) under the Space Share Folder.
There is no way to restrict access to a particular file or folder without putting it in a Space that has different permissions assigned. There is also no way to expose a particular file or folder without putting it in a Space with different permissions. If a link is made to a Share Folder or a file in a Share Folder, the link will not be live if the user's account does not have Read Share Folders permissions for that project.
Article Share Folders and Files
The project-level permissions that your account has been given also determines what rights you have to all files (and folders) under an Article Share Folder for any article in the project. However, when an article with an Article Share Folder is made readable to additional accounts by means of applying a label from a Space that those accounts can read, the files (and folders) under the Article Share Folder also become readable/downloadable by those accounts.
Note: One indirect "security" impact of using Article Share Folders vs attachments is that if the article is emailed to someone who does not have access to the Space, attachments may be sent as part of the email (this is an option that is often on by default). When an article using Article Share Folders is emailed, including the files in the email is not an option, so there is no chance of the files being sent by mistake.