If an asset is set as on-sale and then returned to off-sale, it will still be downloadable. In the below screenshot I am not signed in and the asset is off-sale, yet I can still download it because it was on sale for one day over two months ago. I don’t think I need to explain why this is an issue.
edit: as stated in my reply the download button is added by an extension, however, the button is linking to Roblox’s asset delivery API (https://assetdelivery.roblox.com/docs). My expectation would be that requests to this API for off-sale assets would return a 401 status code rather than the asset. I should also note that the asset delivery API will return the most recent version of the asset, not the most recent public version of the asset.
edit 2: various reproduction information
The asset in the above screenshot is: https://www.roblox.com/library/6106629980/Asset-Test
The download button is linking to: https://assetdelivery.roblox.com/v1/asset/?id=6106629980
(clicking the above asset delivery link will prompt you to download a .jpg file but if you change the extension to .rbxm, it is in-fact the asset)
I first created the asset by uploading a module script with the content “-- Version One”. I then set the asset to off-sale. Once off-sale, I was still able to download the asset while logged out.
I then edited the module script to have the content “-- Version Two (copylocked)” and published it over the asset. After doing so, I was able to download the off-sale asset while logged out and still got the most recent version (that was uploaded while the asset was off sale) with the content “-- Version Two (copylocked)”