This is a very confusing post.
First of all, just because something is accessible without sudo, it isn’t insecure. I would argue, if it is personal data, it is more secure - it is only accessible to someone logged in as your user.
Also, it confuses (audit) logging with spying. If you consider hidden downloads by apps dangerous, it makes sense to log them. As this is personal data, it makes sense to log it locally in the user space of the user that downloaded them, for later inspection if there was a problem.
I had a look at my database and it contained a lot of interesting info, for example when sparkle downloaded updates and similar.
This database allows for worthwhile queries, for example “did this machine download an update through sparkle while there was an exploited sparkle bug in the wild”?
Interestingly, I found none of my recent Firefox downloads that I actively started, this isn’t a full log.