Having recently helped someone through uploading a private file for a public task, I realized the process for doing so is undocumented and unclear.
As far as I can see, the only sane way to handle such private files is to open a private paste and drag&drop it there, which will make the file inherit the restructions of the paste and allows to indirectly link to the file via linking to the paste. (Directly linking to the file, ie. pasting F12345 into a task, will immediately give access to the file for everyone who has access to the task. Furthermore, there seems to be no way to undo that, even if the link is removed, the file remains "attached" to that task.) Paste creation is not exposed anywhere, and the whole process is easy to get wrong and expose your private file to the world (probably without noticing it as Phabricator will continue to say the file is private, even when everyone including anonymous users can see it).
This is not a problem with uploading private files for private tasks (such as patches) - you can just use drag&drop which will make the file inherit the restrictions of the task. But when the task should be public but the file private (this is common with HAR files that are needed for certain kinds of non-security issues such as web performance or login problems), Phabricator's behavior is hostile to the inexperienced user and we need some way to work around that.