It's my fault, so I should fix it, but there's a philosophical problem.
First, let me explain how it got this way. Here is my commit message from August 11, 2004:
"fix from Sloan: store attachments in user's shared files folder instead of in the community's file-storage, where they often don't have write privs and there's no good place to put them anyway"
Back then, attachments was part of the .LRN bundle and this fix was appropriate, or at least I thought so. No-one has complained up to now, and there aren't any bugs on this in the bug tracker, so I will claim it was a reasonable choice at the time.
However, since then attachments has become a required package for other packages, such as forums, which most definitely need to work outside of .LRN, so my fix is no longer valid.
The question is, where should attached files be stored? I don't consider putting them in the root folder of file storage to be appropriate, as they are then visible to any users who happen to navigate there. I vaguely recall considering using folder_id -100, or something similar, back when I made this change, but someone (Dave?) had a good reason for not doing that.
Suggestions?