Thank you. I confirm the bug with roles saving at ‘view restriction’ meta box for attachments. I fixed it in development version.

But this restriction just exclude the attachment post from listing by WordPress when attachment listing required directly. It does not protect file from download by typing its direct URL in the browser. It does not exclude this attachment from the posts or pages to which this attachment was included.

As a temporal workaround you may use URE shortcode:
and show file URL or download link for the allowed role only.
It still will not prevent any visitor who knows direct URL from download this file, but download URL at the content will be available for the authorised users only.

In general you need a routine which should not show a direct URL to the file, but use the some kind of a download link, which will lead to the script where download will be started after checking user permissions only.

It’s possible that I will include such feature to the User Role Editor with time. Something like ‘digital file protection’ add-on.

Btw, may be some plugin from this list may help you to restrict access to the downloadable file using roles: