Fileman's PHP or .NET scripts will not manipulate files or folders that are outside the directory set in FILES_ROOT setting. Also Fileman script which is not set in the configuration cannot be executed - it will exit.
However, it's up to you to implement application level access restriction! If you are using protected directory and Fileman resides in it, you are good to go.
.NET users can use web.config file to apply user authentication.
To implement your own security checks in PHP, you have to fill "checkAccess($action)" function located in fileman/php/security.inc.php file. This function is executed in the beginning of each PHP script, and you can validate user or the action which is about to be performed ($action will contain the name of the setting i.e "MOVEDIR" when moving directory). Usually user login validation is pretty simple, it could be something like "if($_SESSION['is_admin_logged'] !== true)exit;".
You can also use HTTP Basic authentication or any other authentication mechanism you want.