User uploaded avatars are treated by SMF as attachments and are put inside "attachments" folder with a hashed name. These you can't really download easily. It *is* possible but it requires some extra coding.
Yep I made a query that via php retrieves attachment id plus hash, and then feeds the result to the game code that picks up the exact filename.
But in the end do you think the htaccess can be improved, made safer etc.? I mean is it so dangerous to let the people have an indirect access to the avatars folder? there's a double layer of protection, php and htaccess. What is the possible risk?