Correct, files stored in plain text (and no additional permissions to stop users from reading it) are open to the world; assuming that the world knows where the file is.
Hence, why you are supposed to delete the file(s) when not being actively used for an import/export (which is the only reason why there should be files in the import directory in the first place).