I gave Secure Files module a whirl and it doesn't seem to play nice with Versioned Files :( (or vice versa of course)
The secure files module adds access controls to Folders that are visible in the Files and Images section tree.
Unfortunately the files I need to secure are in subfolders named _versions but these are not visible in the tree so I can't apply access controls directly.
Also if I make a visible Folder secure via the Secure Files module, any version files (eg asssets/documents/_versions/123/File.1.pdf) give me 403 both in the browser and CMS.
If anyone has any suggestions about where to go from here it would be good... even if it means getting into the code.
Another option I considered was to make some manual updates to .htaccess, if anyone can point me in the direction of the "SilverStripe Way" for that kind of thing