Here is the dilemma:
1. The redirect could be set up in .htaccess but of course the redirect will give the "page URL not found" error.
2. If simply setup "Rewrite Rule" in .htaccess, the server will be able to open www.example.com/subfolder/XYZ.pdf because it actually looks for "/sites/default/files/subfolder/" as the Rewrite Rule told it to.
The problem is that both "Redirect" and "Rewrite" could only work partially, when putting together they will conflict each other. So how to hide "/sites/default/files/" in URL?
I think that this is supposedly a common practice for websites to hide the real pathway to private files. Could you provide some help? Thanks.
To some extent, I believe you're over-complicating this.
If you have your files in /sites/default/files/ then they're not private at all. They can be accessed by anyone and that's even easier if they know you're using Drupal, because they can guess the path.
To solve this, Drupal actually has a private files option in Configuration > Media > File system > Private file system path. The best solution in there is to set a location that is above the root. It will look like this /downloads/<ROOT>