1) create a folder for documents outside the public folder (the one in which index.php and statics)
2) create an action to download files, place these files there, bind the file to the user at the database level
3) return the file for viewing should be done only through the action (so that there is no direct access to the file using the url selection method), with a check that only the user and admins can view it

uploading documents to the site for verification

You don't have to store them. Viewed and deleted.

I think it's better to create a separate project to store your documents and unload from it. But this is not the exact correct answer.

Look towards object storage such as Minio (compatible with AWS S3). Deploy it on your server and store it there. It will be more hopeful than just storing it in a folder as suggested in the messages above.

I saw a similar example when AWS taught. The document was loaded directly into S3 using a token from a web server. Without a token, no one has any access. Something like this.

How strange! Everyone read the question and no one even noticed!

the task was to upload documents to the site for user verification

You have an extremely difficult task! )))
You mixed up: "to the site" and "through the web page")))
Well, then, the site has nothing to do with it at all!
After receiving and validating the "body" of the file (that a file with the pdf extension is not a script, etc.), the server script was immediately TRANSFERRED from memory through an internal call to the internal service of the script handler, which performs the necessary actions on the document, encrypts and puts it in a storage (folder, database, etc.), which is generally inaccessible from the outside.