Anyone who is able to send a transaction is able to add metadata to that transaction, including sticking a file in that metadata in they really want to. But I presume you mean you want a clearly defined space on the chain where files are placed, and only one party can write to that space. This is easy using streams – create a stream which is permissioned for writing (i.e. not 'open') then give write permissions only to the appropriate address. Anyone subscribed to that stream will see the files within, and they will all be added from that address.