Let’s say you’re building an app where you allow users to upload images, and there’s an expectation that those images should be “secure” — specifically, that they can only be accessed by logged-in users with the appropriate level of access. One way to handle this is to serve the file with PHP, rather than with Apache or Nginx (your webserver). If you’re serving things from PHP, you can use control-flow ( if statements) to serve an image (or not) only after checking that the request is on behalf of a user with correct permissions.
Typically one uses a PHP script to ultimately generate a text file, in the form of an HTML document.
X-Sendfile is a PHP extension that allows PHP to send files from the disk, similar to how your webserver would send them.