Storing the uploaded file outside the web document tree would be the easy part. That shouldn't require any changes to the script.
download.php would have to be changed to read the attachment file, and then output it to the browser. This would be a simple change. It might not work on all servers, since PHP might not be configured to be able to read files outside the script directory. And to get it to work with all browsers, you might have to explicitly specify some of the headers, such as the MIME type.