Your default file upload location is under the administrator/ like: administrator/components/com_xxx/yyy
Why not make it media/com_xxx/yyy ?
Because when I use Admin Tools (from Akeeba) to set a htaccess on the administrator directory (which I always do nowadays for extra security) the files under administrator/components/com_xxx/yyy are not accessible by the front-end users.