by Martin Mastny.
Ok, I found a solution myself. Here it is.
Itemid = 0 is a basic itemid in database and file gets really uploaded with it. When you need uploaded file, system copies a database entry a creates a link with unique itemid and then you can use this file with created itemid. This is not a good idea, because whole structure of private files in database gets copied everytime you refresh private files page. Seems like a good entry foint for overfilling the database and potential attack to me. Of course I could be wrong.
Cheers
Martin