How private are files "sent" using this method? Doesn't the pinning node broadcast its hashes to the network?
I suppose a quick lookup to keybase for a gpg key (as it already asks for email), and then encryption with:
https://github.com/openpgpjs/openpgpjs
Would be one approach. Or, as a link is sent "out of band", I suppose one could simply provide a symmetric key in the email. Not as secure - but might be sufficient.