How is an attachment meaningfully encrypted through iCloud if someone who isn't using a Mac can download the file through a link in the email they receive? If that link can be generated for them, it can be generated for anyone.
Edit: Even if a link is generated client side along with an access key, it's sent plain text and anyone who sees it can click it.
I'd imagine these users will have to go through a process that proves they don't just have the link but can also access the email account in question. Just like email subscription confirmations work.
Edit: Even if a link is generated client side along with an access key, it's sent plain text and anyone who sees it can click it.