The only ways that someone would be able to access the attached files is:
1. The staffs account are compromised. This can be further secured by limiting access to this section to a select subnet or group of subnets. This would limit the access to the departments that the employee has access to and the tickets assigned to those departments.
2. The ticket openers credentials are compromised. This can be further secured by an addition of a simple web authentication to actually get to the server in the first place. This would limit the access to just the tickets that the user opened and thus only that customers attachments.
3. The MySQL database credentials are compromised. This relies on the servers security. If someone breaks into server itself then you can be pretty sure that they will be able to retrieve all your documents once they get the osTicket DB creds.
I find it important to note that you will have pretty much the same attack vectors with any web based application.
If you are very concerned with this sort of thing, you could delete tickets with attachments after X days, or mod osTicket to remove attachments after x amount of time.
Does that answer your question?