If I wanted to achieve security, I would do the following:

In queryhits you advertise your GUID and a 0.0.0.0 IP. In addition you send your push-proxies (your ultrapeers). The downloader sends a download request containing your GUID and the urn of the file he wants to download. The push-proxy then redirects the downloader to one of its leafs (possibly you possibly someone else acting as a proxy) or sends a push to one of its leafs so the download can be started. Unlike your scheme this could work with the download mesh if connections are stable enough.