You're getting closer, but that's not exactly right.
If all reports are protected with the same access, like Level 2, then all users at Level 2 can download all the reports if they can guess the name, which wouldn't be hard.
This is why I was suggesting custom capabilities. If the user Mike has custom capability Mike and the report mike.pdf is in the download directory for the custom capability Mike, then John won't be able to download it even if he knew the URL to it, only Mike would.
E.g. /s2member-files/access-s2member-ccap-mike/reports-mike.pdf
http://mysite.com/?s2member_file_download=access-s2member-ccap-mike/reports-mike.pdf
Each user needs to have his own ccap. The uploader would need to upload to the directory for the ccap of the user the report is for.
I hope that makes more sense now.