With auth=1 direct links (example: domain.xyz/ifm/read.txt) are still accessible without authentication. Did I miss something?

The authentication only applies to the IFM itself, and not for other files which are accessible via the webserver. The best way to protect your files from being downloaded via the webserver, is to locate them outside the DocumentRoot (mostly htdocs), and set the root_dir to this path (make sure the PHP user can access this directory, though).

I added a config option named forceproxy in the latest commit 37111e3, which allows you to force proxying of files, so you can also restrict all access to the other files with a .htaccess file (as long as you use an apache webserver):

<Files *>
Require all denied
</Files>

<Files ifm.php>
Require all granted
</Files>

Thanks for the explanation and the instructions. I think this is enough information. I will close this issue.