There is a common misconception that equates blocking content to blocking file access. Content that displays on a page is quite different from accessing a file from your filesystem.
When content is displayed on a page, that content is retrieved from the database and displayed within the site template. When that content is blocked, it is simply dropped from being displayed. That is what the WP-Members plugin does.
Accessing files is something entirely different and unrelated.
If you have a link to a document or file in your protected content, that link will generally be unknown to users who are not logged in (including bots). However, because a link to a file is nothing more than a path in your filesystem, if the link (file location) is known, it can be directly accessed by anyone. Preventing this requires changing how files are handled. The entire directory must be protected (usually using a .htaccess file restricting direct access to the directory) and then files are streamed through a PHP script that validates whether the user is logged in or not. This type of process is not what the WP-Members core plugin does.
If you need file protection, there is a premium extension that is designed for blocking access to file downloads. This extension keeps files in a protected directory and only allows user access through a login validation script. You can find out more about the WP-Members Download Protect extension here.