Filing as a security bug to be paranoid, but I don't really think its actually that much of a security issue. Worst case is someone could get a version of a deleted file, if they planned ahead before it was deleted.
It appears that we send HTCP purges for old version thumbnails, but not the actual file asset itself.
Steps to reproduce:
*Upload some file
*Overwrite it with something
*In the file description page, click on the old version of the image, thus loading the full resolution version of the old file (and getting it in varnish cache)
*Delete the file
*The old full resolution link still works as its still in varnish cache.
I'm working on a patch for this, and I'll post it to the bug when done.