Asset Creation and IPFS Hash Question

I'm hoping someone can clarify.

Let's say I have a band. I create a single asset on Ravencoin for my band name. I create sub-assets for albums with a hash to IPFS where the albums are located, and sell these album tokens.

But nothing about this makes the album only accessible to those with the album's token. It can be accessed via IPFS by anyone who knows the hash? All the token does is in effect prove that someone rightfully owns that album, and anyone in possession of it without the token could be said to be illegally possessing it?

Is this right?