User File Uploads
Images that are attached to issues, merge requests, or comments do not require authentication to be viewed if they are accessed directly by URL. This direct URL contains a random 32-character ID that prevents unauthorized people from guessing the URL for an image, thus there is some protection if an image contains sensitive information.
Authentication is not enabled because images must be visible in the body of notification emails, which are often read from email clients that are not authenticated with GitLab, such as Outlook, Apple Mail, or the Mail app on your mobile device.
Non-image attachments do require authentication to be viewed.