Our asset uploading service is a write only service to the outside world. Assets written can only be downloaded from within our infrastructure, and even then the appropriate credentials are required. If someone compromised your version control provider account (GitHub or Bitbucket) then yes, they could move the asset directly into the download path on the web server. For that reason, we recommend requiring two factor authentication on these services and carefully guarding write access to your build repositories.