In this directory we store downloadable files. 
Files uploaded over admin interface are renamed to hash and stored in separate dirs. Manually (ftp) uploaded files goes to "uploads" directory.

Always make sure that this directory is protected from direct access over web.