The one difference to using symlinks for controlled file access vs. readfile() is that the HTTP server will handle content-type of the symlink automatically.
If you always want it to be downloaded, this can be a negative point. However, if you want a file of non-predefined type to be viewable in the browser, this can be a real asset.
Of course, you can use fileinfo/mime-magic to do that, but those require a module which isn't always available on shared hosting.