Currently the list of files points directly to the URLs of files found on the server, which means that the any user could easily download with valid username and password with a known URL.

Any way to force encode-explorer to serve the files within PHP or passing e.g. X-sendfile header to Apache? Unfortunately I have to protect some directories now with "basic auth" besides the username/passwd for encode-explorer which is really painful for users.

This could be done. But would need certain security guidelines to ensure there is no security bugs in the feature.

I was thinking about implementing it myself, as an optional feature that could be enabled via a $_CONFIG var and a translation variable for a download error message.

Something like this:

function download_file($filename)
{
    // Check security guidelines like path doesn't start with a dot, path does not include double dot groups, path is a local path not an URL identifier... Bailout on failure.
    // ...

    // Disable output buffering.
    if(ob_get_level()) { ob_end_clean(); }

    // Open file via fopen. Bailout on failure
    // ...

    // Send disposition headers. application/force-download , length ...
    // ...

    // Read file in 8kb chunks (8192) and echo them to client. Loop while not reached EOF and file resource is valid.
    // ...

    // Quit to prevent further output
    exit();
}

Any thoughts ?

You mean " any user could easily download withOUT valid username and password with a known URL." I suppose? I've noticed the same problem.
I would very much appreciate if this could be avoided somehow.

A much easier way to achieve this is to remove any passwords from encode-explorer and add authentication for the whole folder using .htaccess.