If you have access to the client you can upload new files to the server, delete files from the server. So the protection is more about not giving somebody else access to the files stored on the server rather than protecting the files downloaded to the client.
I’ve got your point, but in my opinion this should be communicated more clearly to the user. I bet, most of the users expect that the files are inaccessible if they set up PIN/fingerprint protection in the app.