Windows files don't have generic permissions as they do in Linux, permissions are granted to individuals and groups. For users to see a file, they have to be a member of a group that has permissions on the object. On my Windows system, CB users can see their own profile images because they are a named user on the file, but no other user can.
Somehow when CB uploads the file, it is overriding the permissions that should be inherited from the folder setting, but not on thumbnails, only the main image.