Well, your sentence is not entirely correct. You can cache the files if you make sure you can access them only from the OpenACS page that does the permission checking.
https://blog.kovyrin.net/2006/11/01/nginx-x-accel-redirect-php-rails/
The above link gives a good explanation how this can be achieved with NGINX. My initial sentence came from the fact that you could hack the referrer URL if you knew how the OpenACS system is setup. Also take a look at X-Sendfile
https://blog.lighttpd.net/articles/2006/07/02/x-sendfile
The goal of my question is not about authentication, that is covered (see above), my goal is to have the content repository objects be served as full URLs, so without Form values like ?object_id=1234
