I think I have the answer... This has been tested and works.
I tried my idea above of creating a new Ibay, but php wouldn't allow me to access it because of the "open_basedir" setting that resricts you to only use files in the Ibay. Which is a great idea. (I don't want other users requesting my scripts through php)
So I thought the next logical option. I created a directory in the ibay next to "html" and "files" called "secure" changed the permissions. (easy way to get this right, Login to web panel after creating the folder (as root through ssh), change the assigned group to another group, then back again and the permissions are set to the same as the rest in the folder).
And Walla! I'm done. I can't access the folder through mydomain/secure/filename.txt but I can access it through a php script. And because its done through PHP the path is hidden and as far as the user can see it's magic.
If any one can see some obvious floors in this sort of security let me know.