It would depend on how you are making the file available. If you are just providing a link for downloading the file, anyone will be able to access the file if they know the URL to the file.
If you are using a PHP streaming method to supply the file, then you can use .htaccess security to deny access to the .pdf directory or the .pdf files themselves. Since PHP is reading the file, it has no bearing on the server's denial; the server only denys external requests for the file via URL.
For example, I often install a backup application that has its own config.inc.php file. Anyone who wants to can download that file, and get my backup application login, back up my site using it, and then from the site backup get my MODx config files to find the database information. To prevent this, I added a directive in my .htaccess
<Files config.inc.php>
order deny,allow
deny from all
</Files>
A PHP file (such as index.php) that needs the information can include the file with no problem, but anybody who tries accessing domain.com/backup/config/config.inc.php in a browser will be denied.