WordPress is engineered not to interfere with existing files, including .htaccess rules it generates to enable use of pretty permalinks.
Simply put you cannot make WP process or protect media files without some form of .htaccess or other web server configuration, because typically it handles them completely separately and WP doesn’t interfere with it.