Hi there. Thanks everyone here for the great conversation around uploading files to the CMS in a Webflow project.
I wanted to add in a little extra information to help confirm and clarify.
When uploading a file (for example a PDF file) into a Webflow CMS item field then these files are uploaded to AWS (Amazon Web Servers) and a unique filename generated that also links the file to the project.
These files are not restricted, so if you have the direct link then they can be loaded in a web browser. The files could be discoverable, however it is unlikely unless the unique filename (GUID) can be guessed. So it has to be linked or shared somewhere for someone to find the file, and also for Google (or other search engines) to be able to crawl and index the file it has to be linked somewhere on a publicly viewable web page.
If a CMS template page links to the file, or if the file is linked elsewhere on a static page (or another CMS template page) by using a CMS collection list, then Google can crawl the page and index any links it follows. If the page is password protected then the link would not be found on the page, as the page would return a password protected response and the content would not be loaded. But if the page is not password protected until later, then Google may have already crawled and indexed the content, including any links to files on the page. In this instance the actual file link is still able to be loaded, so Google will continue to index that file. The link to the uploaded file is not password protected, only the page itself.
To avoid indexing a link, an option is to set a rel="nofollow" attribute on any links that go to the PDF file. For more information on rel=nofollow please see Qualify Outbound Links for SEO | Google Search Central  | Documentation  | Google Developers.
This can be set as a custom attribute on links in the project settings (Image 2020-09-07 at 11.57.1...).
However please note that this is a suggestion to Google not to follow the link to the PDF file, and that Google may still index if it crawls the file from another link elsewhere. Also it will not remove PDFs that are currently indexed on Google search.
Another option for uploading content to a project, if it needs to be restricted, is to upload a file through form file uploads and to toggle on the restrict file upload access (Form file upload | Webflow University). These files would not be accessible for search engines to index or for others to view without logged in access. Note that these files cannot then be used on CMS pages or static pages as the links are restricted and require being logged in.
I hope that helps. If you have any specific issues please contact Webflow support at Webflow Customer Support | Webflow University and we can help further.