Thanks for the reply.
I believe just option 1) should suffice and possibly be even more than I need.
Here's what I'm doing.
I have a client area with children pages for clients and grandchildren for sub pages. - (domain.com/client-area/client-1/page1, domain.com/client-area/client-1/page2 (assuming nested URLs worked))
Each member will only belong to one group. Each group will have private files to download on their pages. These files won't be shared by them, so I'm not worried about them handing out the links across the web. Files are related to client business, so THEY want them private.
To be honest, I'm probably safe enough just restricting pages to certain groups, disabling directory listing of content, and posting the links in there. However, I may implement something along the lines of what you did if it's not too much work, to give the clients more peace of mind.