Used built-in Laravel security patterns for private file access:

• Private storage: images are saved outside public web root.
• Auth-protected route: image endpoint requires a logged-in user.
• Authorization check: only the image owner can access their image URL.
• Strict upload validation: allowed types, size limit, and image constraints.
• Server-side processing: image is re-encoded/resized to strip risky metadata and normalize content.
• Randomized filenames: prevents predictable file paths.
• Rate limiting: limits repeated upload attempts to reduce abuse.

Result: profile images cannot be directly viewed by unauthenticated users, and cannot be accessed by other users even if URL is guessed.