I can't seem to find if what we are seeing is due to a setting or not, but when users use the 'attach a file from SharePoint' functionality, the file is linked instead of attached.
It true that it is a best practice to link SharePoint files instead of duplicating them. But the 'select a file' interface does not warn users about possible access issues following from this. Neither does it allow users to verify or change the access before posting. And, the 'Attach a file' support article uses the term 'upload'.
@Wim Vandierendonck you're correct about the "upload" nomenclature on that help article. I've given feedback on the bottom of the page that the term is incorrect (and you can do so too).
Generally speaking I do believe that the link is best in most scenarios for Yammer. You're correct there are going to be instances where links in Yammer could result in people clicking on links for docs they don't have permission to.