I am assuming you only want the user that is logged in to access this file which is why you are doing it in this way?
With my current knowledge, how I would handle this is using an object store vs just a file directory store. With that said, I am big supporter of work smarter not harder. The lazy way would be to sign up for something like DigitalOcean spaces ($5/mo). When the user uploads the file, take that file via the same PHP script and upload it to DigitalOcean spaces with private permissions. With private permissions, the file will not be available publicly. When the said user logs in, you can generate a unique “private” time based URL for that file which the user can access. When the time expires, the URL is no longer valid. This feature is built into DigitalOcean Spaces and would just have to do an API call for it. If you need help on getting it to work, let me know.
You could pretty much use any object store like Amazon S3 but I recommend digitalocean. They are easy to use and fairly cheap. Full disclosure, if you decide to try DigitalOcean, you can use my referral link and get a $100 credit for 60 days: DigitalOcean. Scratch each others backs sort of speak.