Somehow, even with using exec(), I doubt GoDaddy has their servers set up where you have write-permissions outside your FTP/Site root. Keeping the download directory outside of the web directory is an easy fool-proof method for ensuring no one can download your files except through uc_file. However it's not the only way. Ryan is right that you can easily come up with a non-obvious directory inside the web root protected via an .htaccess file. Something like:
Options -Indexes
<Files *>
Order deny,allow
Deny from all
</Files>in the .htaccess file should prevent anyone from viewing the directory contents (if they guess its name) and pulling files via HTTP even if they know a valid file name.
Joined: 08/07/2007