I think you yourself summed up:
only the ACL of the ParseObject is protected, which contains a reference to ParseFile
If someone accidentally finds out your URL for this particular file, then this is commendable because they are uniquely created, like objectId's:
.. containing the name of the file, which is the original file name with a unique identifier prefix to prevent name collisions. This means that you can save files with the same name and the files will not overwrite each other ...
In other words, the last component of the path will always be unique:
tfss-db295fb2-8a8b-49f3-aad3-dd911142f64f-airlines.txt
Even if you reload the new .txt airline document:
tfss-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx-airlines.txt
To summarize the ACL:
An ACL or access control list can be added to any Parse.Object to restrict access to only a subset of users in your application.
So, according to Parse, goals are for the object itself, and not for certain parameters of this object. At the moment, they do not support, say, setting up a specific read / write ACL in the header column of an object or the Email column or a specific column type, ACLs are objects or are user-dependent.
For anyone interested in reading more about Parses, ACLs can see their resource here: http://blog.parse.com/learn/engineering/parse-security-i-are-you-the-key-master/