You can use roles to restrict access to the page. I think what you want is essentially described in this post., tweak it as required.
Setting the available documents is a little trickier. You could probably go with the MultiSelect Field, but adjust the Query part in the blueprint to read files rather then page IDs, however I am not 100% sure it can read form another page. You may have to feed it a JSON list via a route.
Not tested this but something along these lines in your config should do it:
<?php
c::set('routes', array(
// File Links
array(
'pattern' => 'filelist.json',
'action' => function() {
header('Content-type: application/json; charset=utf-8');
$files = site()->index()->find('secretpage')->files();
$json = array();
foreach ($files as $file) {
$json[$file->safeName()] = $file->filename();
}
echo json_encode($json);
}
),
));
And in your blueprint, (assuming the multiselect can take JSON like the standard Select field)
fields:
relevantfiles:
label: File Downloads
type: multiselect
search: true
options: url
url: filelist.json