Backstory: Currently working on a Custom Post Type that will need a file uploaded to that post. The file needs to be secured (hidden for the world + only accessed through PHP and not by URL to check if the user has permission).
Then I'll create a shortcode that will generate a download button that will serve the file out to the user if he has access to it, or redirect to a page saying he needs to log in or something.
I've used WordPress' upload_dir filter(*) to actually upload the file in /uploads/secure-dir/example.pdf and that works as expected, the file is added in the correct path.
Right after uploading, the file_upload metabox template shows me the correct URL to the file (the  link also works correctly), UNTIL I reload the page. Then the template somehow returns /uploads/example.pdf (stripped the "/secure-dir" from the path). Opening the file, or using the edit-link, no longer works.
My question is how I can best set a custom upload path for the Metabox file_upload?